Related Commands

interface port-channel

To access or create a port-channel interface, use the interface port-channel command.

interface port-channel channel-group

Syntax Description

channel-group

Port-channel group number; valid values are from 1 to 64.

Defaults

This command has no default settings.

Command Modes

Global configuration mode

Command History

Release

Modification

12.1(8a)EW

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

You do not have to create a port-channel interface before assigning a physical interface to a channel group. A port-channel interface is created automatically when the channel group gets its first physical interface, if it is not already created.

You can also create the port channels by entering the interface port-channel command. This will create a Layer 3 port channel. To change the Layer 3 port channel into a Layer 2 port channel, use the switchport command before you assign the physical interfaces to the channel group. A port channel cannot be changed from Layer 3 to Layer 2 or vice versa when it contains member ports.

Only one port channel in a channel group is allowed.

Caution The Layer 3 port-channel interface is the routed interface. Do not enable Layer 3 addresses on the physical Fast Ethernet interfaces.

If you want to use CDP, you must configure it only on the physical Fast Ethernet interface and not on the port-channel interface.

Examples

This example creates a port-channel interface with a channel-group number of 64:

Related Commands

interface range

To run a command on multiple ports at the same time, use the interface range command.

interface range {vlanvlan_id - vlan_id} {port-range | macroname}

Syntax Description

vlanvlan_id - vlan_id

Specifies a VLAN range; valid values are from 1 to 4094.

port-range

Port range; for a list of valid values for port-range, see the "Usage Guidelines" section.

macroname

Specifies the name of a macro.

Defaults

This command has no default settings.

Command Modes

Global configuration mode

Interface configuration mode

Command History

Release

Modification

12.1(8a)EW

Support for this command was introduced on the Catalyst 4500 series switch.

12.1(12c)EW

Support for extended VLAN addresses added.

Usage Guidelines

You can use the interface range command on the existing VLAN SVIs only. To display the VLAN SVIs, enter the show running config command. The VLANs that are not displayed cannot be used in the interface range command.

The values that are entered with the interface range command are applied to all the existing VLAN SVIs.

All configuration changes that are made to a port range are saved to NVRAM, but the port ranges that are created with the interface range command do not get saved to NVRAM.

You can enter the port range in two ways:

•Specifying up to five port ranges

•Specifying a previously defined macro

You can either specify the ports or the name of a port-range macro. A port range must consist of the same port type, and the ports within a range cannot span the modules.

You can define up to five port ranges on a single command; separate each range with a comma.

When you define a range, you must enter a space between the first port and the hyphen (-):

interface range gigabitethernet 5/1 -20, gigabitethernet4/5 -20.

Use these formats when entering the port-range:

•interface-type {mod}/{first-port} - {last-port}

•interface-type {mod}/{first-port} - {last-port}

Valid values for interface-type are as follows:

•FastEthernet

•GigabitEthernet

•Vlanvlan_id

You cannot specify both a macro and an interface range in the same command. After creating a macro, you can enter additional ranges. If you have already entered an interface range, the CLI does not allow you to enter a macro.

You can specify a single interface in the port-range value. This makes the command similar to the interfaceinterface-number command.

Examples

This example shows how to use the interface range command to interface to FE 5/18 - 20:

Related Commands

interface vlan

To create or access a Layer 3 switch virtual interface (SVI), use the interface vlan command. To delete an SVI, use the no form of this command.

interface vlan vlan_id

no interface vlan vlan_id

Syntax Description

vlan_id

Number of the VLAN; valid values are from 1 to 4094.

Defaults

Fast EtherChannel is not specified.

Command Modes

Global configuration mode

Command History

Release

Modification

12.1(8a)EW

Support for this command was introduced on the Catalyst 4500 series switch.

12.1(12c)EW

Support for extended addressing was added.

Usage Guidelines

The SVIs are created the first time that you enter the interface vlan vlan_id command for a particular VLAN. The vlan_id value corresponds to the VLAN tag that is associated with the data frames on an ISL or 802.1Q-encapsulated trunk or the VLAN ID that is configured for an access port. A message is displayed whenever a VLAN interface is newly created, so you can check that you entered the correct VLAN number.

If you delete an SVI by entering the no interface vlan vlan_id command, the associated interface is forced into an administrative down state and marked as deleted. The deleted interface will no longer be visible in a show interface command.

You can reinstate a deleted SVI by entering the interface vlan vlan_id command for the deleted interface. The interface comes back up, but much of the previous configuration will be gone.

Examples

This example shows the output when you enter the interface vlan vlan_id command for a new VLANnumber:

Switch(config)# interface vlan 23

% Creating new VLAN interface.

Switch(config)#

ip arp inspection filter vlan

To permit ARPs from hosts that are configured for static IP when DAI is enabled and to define an ARP access list and apply it to a VLAN, use the ip arp inspection filter vlan command. To disable this application, use the no form of this command.

ip arp inspection filter arp-acl-name vlan vlan-range [static]

noip arp inspection filter arp-acl-name vlanvlan-range [static]

Syntax Description

arp-acl-name

Access control list name.

vlan-range

VLAN number or range; valid values are from 1 to 4094.

static

(Optional) Specifies that the access control list should be applied statically.

Defaults

No defined ARP ACLs are applied to any VLAN.

Command Modes

Global configuration mode

Command History

Release

Modification

12.1(19)EW

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

When an ARP access control list is applied to a VLAN for dynamic ARP inspection, the ARP packets containing only the IP-to-Ethernet MAC bindings are compared against the ACLs. All other packet types are bridged in the incoming VLAN without validation.

This command specifies that the incoming ARP packets are compared against the ARP access control list, and the packets are permitted only if the access control list permits them.

If the access control lists deny the packets because of explicit denies, the packets are dropped. If the packets are denied because of an implicit deny, they are then matched against the list of DHCP bindings if the ACL is not applied statically.

Examples

This example shows how to apply the ARP ACL static hosts to VLAN 1 for DAI:

Related Commands

Displays the status of dynamic ARP inspection for a specific range of VLANs.

ip arp inspection limit (interface)

To limit the rate of incoming ARP requests and responses on an interface and prevent DAI from consuming all of the system's resources in the event of a DoS attack, use the ip arp inspection limit command. To release the limit, use the no form of this command.

ip arp inspection limit {rate pps | none} [burst intervalseconds]

noip arp inspection limit

Syntax Description

ratepps

Specifies an upper limit on the number of incoming packets processed per second. The rate can range from 1 to 10000.

none

Specifies no upper limit on the rate of the incoming ARP packets that can be processed.

burst interval seconds

(Optional) Specifies the consecutive interval in seconds over which the interface is monitored for the high rate of the ARP packets. The interval is configurable from 1 to 15 seconds.

Defaults

The rate is set to 15 packets per second on the untrusted interfaces, assuming that the network is a switched network with a host connecting to as many as 15 new hosts per second.

The rate is unlimited on all the trusted interfaces.

The burst interval is set to 1 second by default.

Command Modes

Interface configuration mode

Command History

Release

Modification

12.1(19)EW

Support for this command was introduced on the Catalyst 4500 series switch.

12.1(20)EW

Added support for interface monitoring.

Usage Guidelines

The trunk ports should be configured with higher rates to reflect their aggregation. When the rate of the incoming packets exceeds the user-configured rate, the interface is placed into an error-disabled state. The error-disable timeout feature can be used to remove the port from the error-disabled state. The rate applies to both the trusted and nontrusted interfaces. Configure appropriate rates on trunks to handle the packets across multiple DAI-enabled VLANs or use the none keyword to make the rate unlimited.

The rate of the incoming ARP packets onthe channel ports is equal to the sum of the incoming rate of packets from all the channel members. Configure the rate limit for the channel ports only after examining the rate of the incoming ARP packets on the channel members.

After a switch receives more than the configured rate of packets every second consecutively over a period of burst seconds, the interface is placed into an error-disabled state.

Examples

This example shows how to limit the rate of the incoming ARP requests to 25 packets per second:

Switch# config terminal

Switch(config)# interface fa6/3

Switch(config-if)# ip arp inspection limit rate 25

Switch(config-if)# end

Switch# show ip arp inspection interfaces fastEthernet 6/3

Interface Trust State Rate (pps)

--------------- ----------- ----------

Fa6/3 Trusted 25

Switch#

This example shows how to limit the rate of the incoming ARP requests to 20 packets per second and to set the interface monitoring interval to 5 consecutive seconds:

Syntax Description

Number of entries from the logging buffer; the range is from 0 to 1024.

logsnumber

Number of entries to be logged in an interval; the range is from 0 to 1024. A 0 value indicates that entries should not be logged out of this buffer.

intervalseconds

Logging rate; the range is from 0 to 86400 (1 day). A 0 value indicates an immediate log.

Defaults

When dynamic ARP inspection is enabled, denied, or dropped, the ARP packets are logged.

The number of entries is set to 32.

The number of logging entries is limited to 5 per second.

The interval is set to 1.

Command Modes

Global configuration mode

Command History

Release

Modification

12.1(19)EW

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

The first dropped packet of a given flow is logged immediately. The subsequent packets for the same flow are registered but are not logged immediately. Registering these packets is done in a log buffer that is shared by all the VLANs. Entries from this buffer are logged on a rate-controlled basis.

Examples

This example shows how to configure the logging buffer to hold up to 45 entries:

Switch# config terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)# ip arp inspection log-buffer entries 45

Switch(config)# end

Switch# show ip arp inspection log

Total Log Buffer Size : 45

Syslog rate : 5 entries per 1 seconds.

No entries in log buffer.

Switch#

This example shows how to configure the logging rate to 10 logs per 3 seconds:

Related Commands

Displays the status of dynamic ARP inspection for a specific range of VLANs.

ip arp inspection trust

To set a per-port configurable trust state that determines the set of interfaces where incoming ARP packets are inspected, use the ip arp inspection trust command. To make the interfaces untrusted, use the no form of this command.

ip arp inspection trust

noip arp inspection trust

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Interface configuration mode

Command History

Release

Modification

12.1(19)EW

Support for this command was introduced on the Catalyst 4500 series switch.

Related Commands

Displays the status of dynamic ARP inspection for a specific range of VLANs.

ip arp inspection validate

To perform specific checks for ARP inspection, use the ip arp inspectionvalidate command. To disable checks, use the no form of this command.

ip arp inspection validate [src-mac] [dst-mac] [ip]

noip arp inspection validate [src-mac] [dst-mac] [ip]

Syntax Description

src-mac

(Optional) Checks the source MAC address in the Ethernet header against the sender's MAC address in the ARP body. This checking is done against both ARP requests and responses.

Note When src-mac is enabled, packets with different MAC addresses are classified as invalid and are dropped.

dst-mac

(Optional) Checks the destination MAC address in the Ethernet header against the target MAC address in ARP body. This checking is done for ARP responses.

Note When dst-mac is enabled, the packets with different MAC addresses are classified as invalid and are dropped.

ip

(Optional) Checks the ARP body for invalid and unexpected IP addresses. Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses.

The sender IP addresses are checked in all ARP requests and responses and target IP addresses are checked only in ARP responses.

Defaults

Checks are disabled.

Command Modes

Global configuration mode

Command History

Release

Modification

12.1(19)EW

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

When enabling the checks, specify at least one of the keywords (src-mac, dst-mac, and ip) on the command line. Each command overrides the configuration of the previous command. If a command enables src and dst mac validations, and a second command enables IP validation only, the src and dst mac validations are disabled as a result of the second command.

The no form of this command disables only the specified checks. If none of the check options are enabled, all the checks are disabled.

Syntax Description

Number of the VLANs to be mapped to the specified instance. The number is entered as a single value or a range; valid values are from 1 to 4094.

acl-match

Specifies the logging criteria for packets that are dropped or permitted based on ACL matches.

matchlog

Specifies that logging of packets matched against ACLs is controlled by the matchlog keyword in the permit and deny access control entries of the ACL.

Note By default, the matchlog keyword is not available on the ACEs. When the keyword is used, denied packets are not logged. Packets are logged only when they match against an ACE that has the matchlog keyword.

none

Specifies that ACL-matched packets are not logged.

dhcp-bindings

Specifies the logging criteria for packets dropped or permitted based on matches against the DHCP bindings.

permit

Specifies logging when permitted by DHCP bindings.

all

Specifies logging when permitted or denied by DHCP bindings.

none

Prevents all logging of packets permitted or denied by DHCP bindings.

Defaults

All denied or dropped packets are logged.

Command Modes

Global configuration mode

Command History

Release

Modification

12.1(19)EW

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

The acl-match and dhcp-bindings keywords merge with each other. When you set an ACL match configuration, the DHCP bindings configuration is not disabled. You can use the no form of this command to reset some of the logging criteria to their defaults. If you do not specify either option, all the logging types are reset to log on when the ARP packets are denied. The two options that are available to you are as follows:

•acl-match—Logging on ACL matches is reset to log on deny

•dhcp-bindings—Logging on DHCP binding compared is reset to log on deny

Examples

This example shows how to configure an ARP inspection on VLAN 1 to add packets to a log on matching against the ACLs with the logging keyword:

Related Commands

Displays the status of dynamic ARP inspection for a specific range of VLANs.

ip cef load-sharing algorithm

To configure the load-sharing hash function so that the source TCP/UDP port, the destination TCP/UDP port, or both ports can be included in the hash in addition to the source and destination IP addresses, use the ip cef load-sharing algorithm command. To revert back to the default, which does not include the ports, use the no form of this command.

Syntax Description

Specifies the destination port in the load-balancing hash. Uses the source and destination in hash functions.

original

Specifies the original algorithm; not recommended.

tunnel

Specifies the algorithm for use in tunnel-only environments.

universal

Specifies the default Cisco IOS load-sharing algorithm.

Defaults

Default load-sharing algorithm is disabled.

Note This option does not include the source or destination port in the load-balancing hash.

Command Modes

Global configuration mode

Command History

Release

Modification

12.1(12c)EW

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

The original algorithm, tunnel algorithm, and universal algorithm are routed through the hardware. For software-routed packets, the algorithms are handled by the software. The include-ports option does not apply to the software-switched traffic.

Examples

This example shows how to configure the IP CEF load-sharing algorithm that includes Layer 4 ports:

Switch(config)# ip cef load-sharing algorithm include-ports

Switch(config)#

This example shows how to configure the IP CEF load-sharing algorithm that includes Layer 4 tunneling ports:

ip dhcp snooping database

To store the bindings that are generated by DHCP snooping, use the ip dhcp snooping database command. To either reset the timeout, reset the write-delay, or delete the agent specified by the URL, use the no form of this command.

ip dhcp snooping database {url| timeout seconds |write-delay seconds}

no ip dhcp snooping database {timeout | write-delay}

Syntax Description

url

Specifies the URL in one of the following forms:

•tftp://<host>/<filename>

•ftp://<user>:<password>@<host>/<filename>

•rcp://<user>@<host>/<filename>

•nvram:/<filename>

•bootflash:/<filename>

timeout seconds

Specifies when to abort the database transfer process after a change to the binding database.

The minimum value of the delay is 15 seconds. 0 is defined as an infinite duration.

write-delay seconds

Specifies the duration for which the transfer should be delayed after a change to the binding database.

Defaults

The timeout value is set to 300 seconds (5 minutes).

The write-delay value is set to 300 seconds.

Command Modes

Interface configuration mode

Command History

Release

Modification

12.1(19)EW

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

You need to create an empty file at the configured URL on network-based URLs (such as TFTP and FTP) before the switch can write the set of bindings for the first time at the URL.

Note Because both NVRAM and bootflash have limited storage capacity, using TFTP or network-based files is recommended . If you use flash to store the database file, new updates (by the agent) result in the creation of new files (flash fills quickly). In addition, due to the nature of the file system used on the flash, a large number of files causes access to be considerably slowed. When a file is stored in a remote location accessible through TFTP, an RPR/SSO standby supervisor engine can take over the binding list when a switchover occurs.

Examples

This example shows how to store a database file with the IP address 10.1.1.1 within a directory called directory. A file named file must be present on the TFTP server.

ip dhcp snooping information option allow-untrusted

To allow DHCP packets with option 82 data inserted to be received from a snooping untrusted port, use theipdhcpsnoopinginformationoptionallow-untrustedcommand. To disallow receipt of these DHCP packets, use thenoform of this command.

ipdhcpsnoopinginformationoptionallow-untrusted

noipdhcpsnoopinginformationoptionallow-untrusted

Syntax Description

This command has no arguments or keywords.

Defaults

DHCP packets with option 82 are not allowed on snooping untrusted ports.

Command Modes

Global configuration mode

Command History

Release

Modification

12.2(25)EWA

Support for this command was introduced on the Catalyst 4500 series switch.

Examples

This example shows how to allow DHCP packets with option 82 data inserted to be received from a snooping untrusted port:

ip dhcp snooping limit rate

To configure the number of the DHCP messages that an interface can receive per second, use the ip dhcp snooping limit rate command. To disable the DHCP snooping rate limiting, use the no form of this command.

ip dhcp snooping limit rate rate

no ip dhcp snooping limit rate

Syntax Description

rate

Number of DHCP messages a switch can receive per second.

Defaults

DHCP snooping rate limiting is disabled.

Command Modes

Interface configuration mode

Command History

Release

Modification

12.1(12c)EW

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

Typically, the rate limit applies to the untrusted interfaces. If you want to set up rate limiting for the trusted interfaces, note that the trusted interfaces aggregate all DHCP traffic in the switch, and you will need to adjust the rate limit of the interfaces to a higher value.

To enable circuit-id (a suboption of DHCP snooping option 82) on a VLAN, use the ip dhcp snooping vlan information option format-type circuit-id string command. To disable circuit-id on a VLAN, use the no form of this command.

Syntax Description

Specifies a user-defined string for the circuit ID; range of 3 to 63 ASCII characters with no spaces.

Defaults

VLAN-mod-port, if DHCP snooping option-82 is disabled.

Command Modes

Interface configuration

Command History

Release

Modification

12.2(40)SG

Support for this command was introduced on the Catalyst 4500 series switch.

12.2(54)SG

Added the override option

Usage Guidelines

The circuit-id suboption of DHCP option 82 is supported only when DHCP snooping is globally enabled and on VLANs using DHCP option 82.

This command allows you to configure a string of ASCII characters to be the circuit ID. When you want to override the vlan-mod-port format type and instead use the circuit-ID to define subscriber information, use the override keyword.

Examples

The following example shows how to enable DHCP snooping on VLAN 500 through 555 and option 82 circuit-id:

You can verify your settings by entering the show ip dhcp snooping user EXEC command.

Note The show ip dhcp snooping user EXEC command only displays the global command output, including a remote-ID configuration. It does not display any per-interface, per-VLAN string that you have configured for the circuit ID.

ip igmp filter

To control whether all hosts on a Layer 2 interface can join one or more IP multicast groups by applying an IGMP profile to the interface, use the ip igmp filter command. To remove a profile from the interface, use the no form of this command.

ip igmp filter profile number

no ip igmp filter

Syntax Description

profile number

IGMP profile number to be applied; valid values are from 1 to 429496795.

Defaults

Profiles are not applied.

Command Modes

Interface configuration mode

Command History

Release

Modification

12.1(11b)EW

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

You can apply IGMP filters only to Layer 2 physical interfaces; you cannot apply IGMP filters to routed ports, switch virtual interfaces (SVIs), or ports that belong to an EtherChannel group.

An IGMP profile can be applied to one or more switch port interfaces, but one port can have only one profile applied to it.

Related Commands

ip igmp max-groups

To set the maximum number of IGMP groups that a Layer 2 interface can join, use the ip igmp max-groups command. To set the maximum back to the default, use the no form of this command.

ip igmp max-groups number

no ip igmp max-groups

Syntax Description

number

Maximum number of IGMP groups that an interface can join; valid values are from 0 to 4294967294.

Defaults

No maximum limit.

Command Modes

Interface configuration mode

Command History

Release

Modification

12.1(11b)EW

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

You can use the ip igmp max-groups command only on Layer 2 physical interfaces; you cannot set the IGMP maximum groups for the routed ports, the switch virtual interfaces (SVIs), or the ports that belong to an EtherChannel group.

Examples

This example shows how to limit the number of IGMP groups that an interface can join to 25:

Switch(config)# interface gigabitethernet1/1

Switch(config-if)# ip igmp max-groups 25

Switch(config-if)

ip igmp profile

To create an IGMP profile, use the ip igmp profile command. To delete the IGMP profile, use the no form of this command.

ip igmp profile profile number

no ip igmp profile profile number

Syntax Description

profile number

IGMP profile number being configured; valid values are from 1 to 4294967295.

Defaults

No profile created.

Command Modes

Global configuration mode

IGMP profile configuration

Command History

Release

Modification

12.1(11b)EW

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

When entering a range, enter the low IP multicast address, a space, and the high IP multicast address.

You can apply an IGMP profile to one or more Layer 2 interfaces, but each interface can have only one profile applied to it.

Examples

This example shows how to configure IGMP profile 40 that permits the specified range of IP multicast addresses:

ip igmp query-interval

To configure the frequency that the switch sends the IGMP host-query messages, use the ip igmp query-interval command. To return to the default frequency, use the no form of this command.

ip igmp query-interval seconds

no ip igmp query-interval

Syntax Description

seconds

Frequency, in seconds, at which the IGMP host-query messages are transmitted; valid values depend on the IGMP snooping mode. See the "Usage Guidelines" section for more information.

Defaults

The query interval is set to 60 seconds.

Command Modes

Interface configuration mode

Command History

Release

Modification

12.1(8a)EW

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

If you use the default IGMP snooping configuration, the valid query interval values are from 1 to 65535 seconds. If you have changed the default configuration to support CGMP as the IGMP snooping learning method, the valid query interval values are from 1 to 300 seconds.

The designated switch for a LAN is the only switch that sends the IGMP host-query messages. For IGMP version 1, the designated switch is elected according to the multicast routing protocol that runs on the LAN. For IGMP version 2, the designated querier is the lowest IP-addressed multicast switch on the subnet.

If no queries are heard for the timeout period (controlled by the ip igmp query-timeout command), the switch becomes the querier.

Note Changing the timeout period may severely impact multicast forwarding.

Examples

This example shows how to change the frequency at which the designated switch sends the IGMP host-query messages:

Switch(config-if)# ip igmp query-interval 120

Switch(config-if)#

Related Commands

Command

Description

ip igmp querier-timeout (refer to Cisco IOS documentation)

Configures the timeout period before the router takes over as the querier for the interface after the previous querier has stopped querying.

Displays the multicast groups with receivers that are directly connected to the router and that were learned through Internet Group Management Protocol (IGMP), use the show ip igmp groups command in EXEC mode.

ip igmp snooping

To enable IGMP snooping, use the ip igmp snooping command. To disable IGMP snooping, use the no form of this command.

ip igmp snooping [tcn {floodquery countcount| query solicit}]

no ip igmp snooping [tcn {floodquery countcount| query solicit}]

Syntax Description

tcn

(Optional) Specifies the topology change configurations.

flood

(Optional) Specifies to flood the spanning tree table to the network when a topology change occurs.

query

(Optional) Specifies the TCN query configurations.

count count

(Optional) Specifies how often the spanning tree table is flooded; valid values are from 1 to 10.

solicit

(Optional) Specifies an IGMP general query.

Defaults

IGMP snooping is enabled.

Command Modes

Global configuration mode

Interface configuration mode

Command History

Release

Modification

12.1(8a)EW

Support for this command was introduced on the Catalyst 4500 series switch.

12.1(11)EW

Support for flooding the spanning tree table was added.

Usage Guidelines

The tcn flood option applies only to Layer 2 switch ports and EtherChannels; it does not apply to routed ports, VLAN interfaces, or Layer 3 channels.

The ip igmp snooping command is disabled by default on multicast routers.

Note You can use the tcn flood option in interface configuration mode.

Examples

This example shows how to enable IGMP snooping:

Switch(config)# ip igmp snooping

Switch(config)#

This example shows how to disable IGMP snooping:

Switch(config)# no ip igmp snooping

Switch(config)#

This example shows how to enable the flooding of the spanning tree table to the network after nine topology changes have occurred:

Switch(config)# ip igmp snooping tcn flood query count 9

Switch(config)#

This example shows how to disable the flooding of the spanning tree table to the network:

Examples

Related Commands

Displays all currently active fast-drop entries and shows whether fast drop is enabled.

ip multicast multipath

To enable load splitting of IP multicast traffic over Equal Cost Multipath (ECMP), use the ip multicast multipath command in global configuration mode. To disable this functionality, use the no form of this command.

If two or more equal-cost paths from a source are available, unicast traffic will be load-split across those paths. However, by default, multicast traffic is not load-split across multiple equal-cost paths. In general, multicast traffic flows down from the reverse path forwarding (RPF) neighbor. According to the PIM specifications, this neighbor must have the highest IP address if more than one neighbor has the same metric.

When you configue load splitting with the ip multicast multipath command, the system splits multicast traffic across multiple equal-cost paths based on source address using the S-hash algorithm. When the ip multicast multipath command is configured and multiple equal-cost paths exist, the path in which multicast traffic will travel is selected based on the source IP address. Multicast traffic from different sources will be load-split across the different equal-cost paths. Load splitting will not occur across equal-cost paths for multicast traffic from the same source sent to different multicast groups.

Note The ip multicast multipath command load splits the traffic but does not load balance the traffic. Traffic from a source will use only one path, even if the traffic greatly exceeds traffic from other sources.

If the ip multicast multipath command is configured with the s-g-hash keyword and multiple equal-cost paths exist, load splitting will occur across equal-cost paths based on source and group address or on source, group, and next-hop address. If you specify the optional s-g-hash keyword for load splitting IP multicast traffic, you must select the algorithm used to calculate the equal-cost paths by specifying one of the following keywords:

•basic—The basic S-G-hash algorithm is predictable because no randomization is used in calculating the hash value. The basic S-G-hash algorithm, however, is subject to polarization because for a given source and group the same hash is always chosen irrespective of the router that the hash is being calculated on.

•next-hop-based—The next-hop-based S-G-hash algorithm is predictable because no randomization is used to determine the hash value. Unlike the S-hash and basic S-G-hash algorithms, the next-hop-based hash mechanism is not subject to polarization.

Examples

The following example shows how to enable ECMP multicast load splitting on a router based on source address using the S-hash algorithm:

Switch(config)# ip multicast multipath

The following example shows how to enable ECMP multicast load splitting on a router based on source and group address using the basic S-G-hash algorithm:

Switch(config)# ip multicast multipath s-g-hash basic

The following example shows how to enable ECMP multicast load splitting on a router based on source, group, and next-hop address using the next-hop-based S-G-hash algorithm:

Switch(config)# ip multicast multipath s-g-hash next-hop-based

ip route-cache flow

To enable NetFlow statistics for IP routing, use the ip route-cache flowcommand. To disable NetFlow statistics, use the no form of this command.

ip route-cacheflow [infer-fields]

no ip route-cache flow [infer-fields]

Syntax Description

infer-fields

(Optional) Includes the NetFlow fields as inferred by the software: Input identifier, Output identifier, and Routing information.

Defaults

NetFlow statistics is disabled.

Inferred information is excluded.

Command Modes

Global configuration mode

Command History

Release

Modification

12.1(13)EW

Support for this command was introduced on the Catalyst 4500 series switches.

12.1(19)EW

Command enhanced to support infer fields.

Usage Guidelines

To use these commands, you need to install the Supervisor Engine IV and the NetFlow Service Card.

The NetFlow statistics feature captures a set of traffic statistics. These traffic statistics include the source IP address, destination IP address, Layer 4 port information, protocol, input and output identifiers, and other routing information that can be used for network analysis, planning, accounting, billing and identifying DoS attacks.

NetFlow switching is supported on IP and IP-encapsulated traffic over all interface types.

If you enter the ip route-cache flowinfer-fields command after the ip route-cache flow command, you will purge the existing cache, and vice versa. This action is done to avoid having flows with and without inferred fields in the cache simultaneously.

Defaults

Command Modes

Command History

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

The ip source binding command is used to add a static IP source binding entry only.

The no form of this command deletes the corresponding IP source binding entry. For the deletion to succeed, all required parameters must match.

Each static IP binding entry is keyed by a MAC address and VLAN number. If the CLI contains an existing MAC and VLAN, the existing binding entry will be updated with the new parameters; a separate binding entry will not be created.

ip verify header vlan all

To enable IP header validation for Layer 2-switched IPv4 packets, use the ip verify header vlan all command. To disable the IP header validation, use the no form of this command.

ip verify header vlan all

no ip verify header vlan all

Syntax Description

This command has no default settings.

Defaults

The IP header is validated for bridged and routed IPv4 packets.

Command Modes

Global configuration mode

Command History

Release

Modification

12.1(20)EW

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

This command does not apply to Layer 3-switched (routed) packets.

The Catalyst 4500 series switch checks the validity of the following fields in the IPv4 header for all switched IPv4 packets:

•The version must be 4.

•The header length must be greater than or equal to 20 bytes.

•The total length must be greater than or equal to four times the header length and greater than the Layer 2 packet size minus the Layer 2 encapsulation size.

If an IPv4 packet fails the IP header validation, the packet is dropped. If you disable the header validation, the packets with the invalid IP headers are bridged but are not routed even if routing was intended. The IPv4 access lists also are not applied to the IP headers.

Examples

This example shows how to disable the IP header validation for the Layer 2-switched IPv4 packets:

Switch# config terminal

Switch(config)# no ip verify header vlan all

Switch(config)# end

Switch#

ip verify source

To enable IP source guard on untrusted Layer 2 interfaces, use the ip verify source command. To disable IP source guard on untrusted Layer 2 interfaces, use the no form of this command.

Displays the IP source guard configuration and filters on a particular interface.

ip verify unicast source reachable-via

To enable and configure unicast RPF checks on a Supervisor Engine 6-E and Catalyst 4900M chassis IPv4 interface, use the ip verify unicast source reachable-via command. To disable unicast RPF, use the no form of this command.

ip verify unicast source reachable-viarxallow-default

no ip verify unicast source reachable-via

Syntax Description

rx

Verifies that the source address is reachable on the interface where the packet was received.

allow-default

Verifies that the default route matches the source address.

Defaults

Disabled

Command Modes

Interface configuration mode

Command History

Release

Modification

12.2(40)SG

Support for this command was introduced on the Catalyst 4500 with a Supervisor Engine 6-E and the Catalyst 4900M chassis.

Usage Guidelines

Note Unicast RPF is an input function and is applied only on the input interface of a router at the upstream end of a connection.

Do not use unicast RPF on internal network interfaces. Internal interfaces might have routing asymmetry, which means that there are multiple routes to the source of a packet. Apply unicast RPF only where there is natural or configured symmetry.

Related Commands

ipv6 mld snooping

To enable IP version 6 (IPv6) Multicast Listener Discovery (MLD) snooping globally or on the specified VLAN, use the ipv6 mld snooping command without keywords. To disable MLD snooping on a switch or the VLAN, use the no form of this command.

ipv6 mld snooping [vlan vlan-id]

no ipv6 mld snooping [vlan vlan-id]

Syntax Description

vlan vlan-id

(Optional) Enables or disables IPv6 MLD snooping on the specified VLAN. The VLAN ID range is 1 to 1001 and 1006 to 4094.

Defaults

MLD snooping is globally disabled on the switch.

MLD snooping is enabled on all VLANs. However, MLD snooping must be globally enabled before VLAN snooping can take place.

Command Modes

Global configuration mode

Command History

Release

Modification

12.2(40)SG

This command was introduced on the Catalyst 4500.

Usage Guidelines

When MLD snooping is globally disabled, it is disabled on all the existing VLAN interfaces. When you globally enable MLD snooping, it is enabled on all VLAN interfaces that are in the default state (enabled). VLAN configuration overrides global configuration on interfaces on which MLD snooping has been disabled.

If MLD snooping is globally disabled, you cannot enable it on a VLAN. If MLD snooping is globally enabled, you can disable it on individual VLANs.

VLAN numbers 1002 through 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in MLD snooping.

Examples

This example shows how to globally enable MLD snooping:

Switch# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)# ipv6 mld snooping

Switch(config)# end

Switch#

This example shows how to disable MLD snooping on a VLAN:

Switch# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)# no ipv6 mld snooping vlan 11

Switch(config)# end

Switch#

You can verify your settings by entering the show ipv6 mld snooping user EXEC command.

Related Commands

ipv6 mld snooping last-listener-query-count

To configure IP version 6 (IPv6) Multicast Listener Discovery Mulitcast Address Specific Queries (MASQs) that will be sent before aging out a client, use the ipv6 mld snooping last-listener-query-countcommand. To reset the query count to the default settings, use the no form of this command.

Syntax Description

(Optional) Configures last-listener query count on the specified VLAN. The VLAN ID range is 1 to 1001 and 1006 to 4094.

integer_value

The integer range is 1 to 7.

Command Default

The default global count is 2.

The default VLAN count is 0 (the global count is used).

Command Modes

Global configuration mode

Command History

Release

Modification

12.2(40)SG

This command was introduced on the Catalyst 4500.

Usage Guidelines

In MLD snooping, the IPv6 multicast switch periodically sends out queries to hosts belonging to the multicast group. If a host wants to leave a multicast group, it can silently leave or it can respond to the query with a Multicast Listener Done message (equivalent to an IGMP Leave message). When Immediate Leave is not configured (it should not be configured if multiple clients for a group exist on the same port), the configured last-listener query count determines the number of MASQs that are sent before an MLD client is aged out.

When the last-listener query count is set for a VLAN, this count overrides the value configured globally. When the VLAN count is not configured (set to the default of 0), the global count is used.

VLAN numbers 1002 through 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in MLD snooping.

Examples

This example shows how to globally set the last-listener query count:

Switch# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)# ipv6 mld snooping last-listener-query-count 1

Switch(config)# end

Switch#

This example shows how to set the last-listener query count for VLAN 10:

Switch# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)# ipv6 mld snooping vlan 10 last-listener-query-count 3

Switch(config)# end

Switch#

You can verify your settings by entering the show ipv6 mld snooping [vlan vlan-id]user EXEC command.

Displays IP version 6 (IPv6) MLD snooping querier-related information most recently received by the switch or the VLAN.

ipv6 mld snooping last-listener-query-interval

To configure IP version 6 (IPv6) Multicast Listener Discovery (MLD) snooping last-listener query interval on the switch or on a VLAN, use the ipv6 mld snooping last-listener-query-interval command. To reset the query time to the default settings, use the no form of this command.

Syntax Description

vlan vlan-id

(Optional) Configures last-listener query interval on the specified VLAN. The VLAN ID range is 1 to 1001 and 1006 to 4094.

integer_value

Sets the time period (in thousandths of a second) that a multicast switch must wait after issuing a MASQ before deleting a port from the multicast group. The range is 100 to 32,768. The default is 1000 (1 second),

Command Modes

Command History

Usage Guidelines

The last-listener-query-interval time is the maximum time that a multicast switch waits after issuing a Mulitcast Address Specific Query (MASQ) before deleting a port from the multicast group.

In MLD snooping, when the IPv6 multicast switch receives an MLD leave message, it sends out queries to hosts belonging to the multicast group. If there are no responses from a port to a MASQ for a length of time, the switch deletes the port from the membership database of the multicast address. The last listener query interval is the maximum time that the switch waits before deleting a nonresponsive port from the multicast group.

When a VLAN query interval is set, the global query interval is overridden. When the VLAN interval is set at 0, the global value is used.

VLAN numbers 1002 through 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in MLD snooping.

Examples

This example shows how to globally set the last-listener query interval to 2 seconds:

Switch# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)# ipv6 mld snooping last-listener-query-interval 2000

Switch(config)# end

Switch#

This example shows how to set the last-listener query interval for VLAN 1 to 5.5 seconds:

Displays IP version 6 (IPv6) MLD snooping querier-related information most recently received by the switch or the VLAN.

ipv6 mld snooping listener-message-suppression

To enable IP version 6 (IPv6) Multicast Listener Discovery (MLD) snooping listener message suppression, use the ipv6 mld snooping listener-message-suppression command. To disable MLD snooping listener message suppression, use the no form of this command.

ipv6 mld snooping listener-message-suppression

no ipv6 mld snooping listener-message-suppression

Command Default

The default is for MLD snooping listener message suppression to be disabled.

Command Modes

Global configuration mode

Command History

Release

Modification

12.2(40)SG

This command was introduced on the Catalyst 4500.

Usage Guidelines

MLD snooping listener message suppression is equivalent to IGMP snooping report suppression. When it is enabled, received MLDv1 reports to a group are forwarded to IPv6 multicast switchs only once in every report-forward time. This prevents the forwarding of duplicate reports.

Related Commands

Displays IP version 6 (IPv6) MLD snooping configuration of the switch or the VLAN.

ipv6 mld snooping robustness-variable

To configure the number of IP version 6 (IPv6) Multicast Listener Discovery (MLD) queries that the switch sends before deleting a listener that does not respond, or to enter a VLAN ID to configure the number of queries per VLAN, use the ipv6 mld snooping robustness-variable command. To reset the variable to the default settings, use the no form of this command.

ipv6 mld snooping [vlan vlan-id] robustness-variableinteger_value

no ipv6 mld snooping [vlan vlan-id] robustness-variable

Syntax Description

vlan vlan-id

(Optional) Configures the robustness variable on the specified VLAN. The VLAN ID range is 1 to 1001 and 1006 to 4094.

integer_value

The robustness value ranges from 1 to 3.

Command Default

The default global robustness variable (number of queries before deleting a listener) is 2.

The default VLAN robustness variable (number of queries before aging out a multicast address) is 0, which means that the system uses the global robustness variable for aging out the listener.

Command Modes

Global configuration mode

Command History

Release

Modification

12.2(40)SG

This command was introduced on the Catalyst 4500.

Usage Guidelines

Robustness is measured by the number of MLDv1 queries sent with no response before a port is removed from a multicast group. A port is deleted when there are no MLDv1 reports received for the configured number of MLDv1 queries. The global value determines the number of queries that the switch waits before deleting a listener that does not respond, and it applies to all VLANs that do not have a VLAN value set.

The robustness value configured for a VLAN overrides the global value. If the VLAN robustness value is 0 (the default), the global value is used.

VLAN numbers 1002 through 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in MLD snooping.

Examples

This example shows how to configure the global robustness variable so that the switch sends out three queries before it deletes a listener port that does not respond:

Switch# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)# ipv6 mld snooping robustness-variable 3

Switch(config)# end

Switch#

This example shows how to configure the robustness variable for VLAN 1. This value overrides the global configuration for the VLAN:

Displays IP version 6 (IPv6) MLD snooping configuration of the switch or the VLAN.

ipv6 mld snooping tcn

To configure IP version 6 (IPv6) Multicast Listener Discovery (MLD) Topology Change Notifications (TCNs), use the ipv6 mld snooping tcn commands. To reset the default settings, use the no form of the commands.

Related Commands

Displays IP version 6 (IPv6) MLD snooping configuration of the switch or the VLAN.

ipv6 mld snooping vlan

To configure IP version 6 (IPv6) Multicast Listener Discovery (MLD) snooping parameters on the VLAN interface, use the ipv6 mld snooping vlan command. To reset the parameters to the default settings, use the no form of this command.

Related Commands

Displays IP version 6 (IPv6) MLD snooping configuration of the switch or the VLAN.

issu abortversion

To cancel the ISSU upgrade or the downgrade process in progress and to restore the Catalyst 4500 series switch to its state before the start of the process, use the issue abortversioncommand.

issu abortversionactive-slot [active-image-new]

Syntax Description

active-slot

Specifies the slot number for the current standby supervisor engine.

active-image-new

(Optional) Name of the new image present in the current standby supervisor engine.

Defaults

There are no default settings.

Command Modes

Privileged EXEC mode

Command History

Release

Modification

12.2(31)SGA

This command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

You can use the issu abortversion command at any time to stop the ISSU process. To complete the process enter the issu commitversion command. Before any action is taken, a check ensures that both supervisor engines are either in the run version (RV) or load version (LV) state.

When the issu abortversion command is entered before the issu runversion command, the standby supervisor engine is reset and reloaded with the old image. When the issu abortversion command is entered after the issu runversion command, a change takes place and the new standby supervisor engine is reset and reloaded with the old image.

Examples

This example shows how you can reset and reload the standby supervisor engine:

Defaults

Command Modes

Privileged EXEC mode

Command History

Release

Modification

12.2(31)SGA

This command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

After you are satisfied with the new image and have confirmed the new supervisor engine is reachable by both the console and the network, enter the issu acceptversion command to halt the rollback timer. If the issu acceptversion command is not entered within 45 minutes from the time the issu runversion command is entered, the entire ISSU process is automatically rolled back to the previous version of the software. The rollback timer starts immediately after you enter the issu runversion command.

If the rollback timer expires before the standby supervisor engine goes to a hot standby state, the timer is automatically extended by up to 15 minutes. If the standby state goes to a hot-standby state within this extension time or the 15 minute extension expires, the switch aborts the ISSU process. A warning message that requires your intervention is displayed every 1 minute of the timer extension.

If the rollback timer is set to a long period of time, such as the default of 45 minutes, and the standby supervisor engine goes into the hot standby state in 7 minutes, you have 38 minutes (45 minus 7) to roll back if necessary.

Use the issu set rollback-timer to configure the rollback timer.

Examples

This example shows how to halt the rollback timer and allow the ISSU process to continue:

Displays the ISSU state and current booted image name during the ISSU process.

issu commitversion

To load the new Cisco IOS software image into the new standby supervisor engine, use the issu commitversioncommand.

issu commitversionstandby-slot [standby-image-new]

Syntax Description

standby-slot

Specifies the slot number for the currently active supervisor engine.

standby-image-new

(Optional) Name of the new image on the currently active supervisor engine.

Defaults

Enabled by default.

Command Modes

Privileged EXEC mode

Command History

Release

Modification

12.2(31)SGA

This command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

The issu commitversion command verifies that the standby supervisor engine has the new Cisco IOS software image in its file system and that both supervisor engines are in the run version (RV) state. If these conditions are met, the following actions take place:

•The standby supervisor engine is reset and booted with the new version of Cisco IOS software.

•The standby supervisor engine moves into the Stateful Switchover (SSO) mode and is fully stateful for all clients and applications with which the standby supervisor engine is compatible.

•The supervisor engines are moved into final state, which is the same as initial state.

Entering the issu commitversion command completes the In Service Software Upgrade (ISSU) process. This process cannot be stopped or reverted to its original state without starting a new ISSU process.

Entering the issu commitversion command without entering the issu acceptversion command is equivalent to entering both the issu acceptversion and the issu commitversion commands. Use the issu commitversion command if you do not intend to run in the current state for an extended period of time and are satisfied with the new software version.

Examples

This example shows how you can configure the standby supervisor engine to be reset and reloaded with the new Cisco IOS software version:

Syntax Description

Specifies the name of the new image on the currently active supervisor engine.

standby-slot

Specifies the standby slot on the networking device.

standby-image-new

Specifies the name of the new image on the standby supervisor engine.

force

(Optional) Overrides the automatic rollback when the new Cisco IOS software version is detected to be incompatible.

Defaults

This command has no default settings.

Command Modes

Privileged EXEC mode

Command History

Release

Modification

12.2(31)SGA

This command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

Theissu loadversion command causes the standby supervisor engine to be reset and booted with the new Cisco IOS software image specified by the command. If both the old image and the new image are ISSU capable, ISSU compatible, and have no configuration mismatches, the standby supervisor engine moves into Stateful Switchover (SSO) mode, and both supervisor engines move into the load version (LV) state.

It will take several seconds after the issu loadversion command is entered for Cisco IOS software to load onto the standby supervisor engine and the standby supervisor engine to transition to SSO mode.

Displays the ISSU state and current booted image name during the ISSU process.

issu runversion

To force a change from the active supervisor engine to the standby supervisor engine and to cause the newly active supervisor engine to run the new image specified in the issu loadversion command, use the issu runversion command.

issu runversionstandby-slot [standby-image-new]

Syntax Description

standby-slot

Specifies the standby slot on the networking device.

standby-image-new

(Optional) Specifies the name of the new image on the standby supervisor engine.

Defaults

This command has no default settings.

Command Modes

Privileged EXEC mode

Command History

Release

Modification

12.2(31)SGA

This command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

The issu runversion command changes the currently active-supervisor engine to standby-supervisor engine and the real standby-supervisor engine is booted with the old image version following and resets the switch. As soon as the standby-supervisor engine moves into the standby state, the rollback timer is started.

Examples

This example shows how to force a change of the active-supervisor engine to standby-supervisor engine:

Related Commands

Configures the In Service Software Upgrade (ISSU) rollback timer value.

l2protocol-tunnel

To enable protocol tunneling on an interface, use the l2protocol-tunnel command. You can enable tunneling for the Cisco Discovery Protocol (CDP), Spanning Tree Protocol (STP), or VLAN Trunking Protocol (VTP) packets. To disable tunneling on the interface, use the no form of this command.

l2protocol-tunnel [cdp | stp | vtp]

no l2protocol-tunnel [cdp | stp | vtp]

Syntax Description

cdp

(Optional) Enables tunneling of CDP.

stp

(Optional) Enables tunneling of STP.

vtp

(Optional) Enables tunneling of VTP.

Defaults

The default is that no Layer 2 protocol packets are tunneled.

Command Modes

Interface configuration mode

Command History

Release

Modification

12.2(18)EW

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

You must enter this command, with or without protocol types, to tunnel Layer 2 packets.

Layer 2 protocol tunneling across a service-provider network ensures that Layer 2 information is propagated across the network to all customer locations. When protocol tunneling is enabled, protocol packets are encapsulated with a well-known Cisco multicast address for transmission across the network. When the packets reach their destination, the well-known MAC address is replaced by the Layer 2 protocol MAC address.

You can enable Layer 2 protocol tunneling for CDP, STP, and VTP individually or for all three protocols.

Examples

This example shows how to enable protocol tunneling for the CDP packets:

l2protocol-tunnel drop-threshold

To set a drop threshold for the maximum rate of Layer 2 protocol packets per second to be received before an interface drops packets, use the I2protocol-tunnel drop-threshold command. You can set the drop threshold for the Cisco Discovery Protocol (CDP), Spanning Tree Protocol (STP), or VLAN Trunking Protocol (VTP) packets. To disable the drop threshold on the interface, use the no form of this command.

l2protocol-tunneldrop-threshold [cdp | stp | vtp]value

no l2protocol-tunneldrop-threshold [cdp | stp | vtp]value

Syntax Description

cdp

(Optional) Specifies a drop threshold for CDP.

stp

(Optional) Specifies a drop threshold for STP.

vtp

(Optional) Specifies a drop threshold for VTP.

value

Specifies a threshold in packets per second to be received for encapsulation before the interface shuts down, or specifies the threshold before the interface drops packets. The range is 1 to 4096. The default is no threshold.

Defaults

The default is no drop threshold for the number of the Layer 2 protocol packets.

Command Modes

Interface configuration mode

Command History

Release

Modification

12.2(18)EW

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

The l2protocol-tunnel drop-threshold command controls the number of protocol packets per second that are received on an interface before it drops packets. When no protocol option is specified with a keyword, the threshold is applied to each of the tunneled Layer 2 protocol types. If you also set a shutdown threshold on the interface, the drop-threshold value must be less than or equal to the shutdown-threshold value.

When the drop threshold is reached, the interface drops the Layer 2 protocol packets until the rate at which they are received is below the drop threshold.

l2protocol-tunnel shutdown-threshold

To configure the protocol tunneling encapsulation rate, use the I2protocol-tunnel shutdown-threshold command. You can set the encapsulation rate for the Cisco Discovery Protocol (CDP), Spanning Tree Protocol (STP), or VLAN Trunking Protocol (VTP) packets. To disable the encapsulation rate on the interface, use the no form of this command.

l2protocol-tunnelshutdown-threshold [cdp | stp | vtp]value

no l2protocol-tunnelshutdown-threshold [cdp | stp | vtp]value

Syntax Description

cdp

(Optional) Specifies a shutdown threshold for CDP.

stp

(Optional) Specifies a shutdown threshold for STP.

vtp

(Optional) Specifies a shutdown threshold for VTP.

value

Specifies a threshold in packets per second to be received for encapsulation before the interface shuts down. The range is 1 to 4096. The default is no threshold.

Defaults

The default is no shutdown threshold for the number of Layer 2 protocol packets.

Command Modes

Interface configuration mode

Command History

Release

Modification

12.2(18)EW

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

The l2-protocol-tunnel shutdown-threshold command controls the number of protocol packets per second that are received on an interface before it shuts down. When no protocol option is specified with the keyword, the threshold is applied to each of the tunneled Layer 2 protocol types. If you also set a drop threshold on the interface, the shutdown-threshold value must be greater than or equal to the drop-threshold value.

When the shutdown threshold is reached, the interface is error disabled. If you enable error recovery by entering the errdisable recovery cause l2ptguard command, the interface is brought out of the error-disabled state and allowed to retry the operation again when all the causes have timed out. If the error recovery feature generation is not enabled for l2ptguard, the interface stays in the error-disabled state until you enter the shutdown and no shutdown commands.

Sets a drop threshold for the maximum rate of Layer 2 protocol packets per second to be received before an interface drops packets.

lacp port-priority

To set the LACP priority for the physical interfaces, use the lacp port-priority command.

lacp port-prioritypriority

Syntax Description

priority

Priority for the physical interfaces; valid values are from 1 to 65535.

Defaults

Priority is set to 32768.

Command Modes

Interface configuration mode

Command History

Release

Modification

12.1(13)EW

This command was introduced on the Catalyst 4500 series switches.

Usage Guidelines

This command is not supported on the systems that are configured with a Supervisor Engine I.

You must assign each port in the switch a port priority that can be specified automatically or by entering the lacp port-priority command. The port priority is used with the port number to form the port identifier. The port priority is used to decide which ports should be put in standby mode when there is a hardware limitation that prevents all compatible ports from aggregating.

Although this command is a global configuration command, the priority value is supported only on port channels with LACP-enabled physical interfaces.This command is supported on LACP-enabled interfaces.

When setting the priority, the higher numbers indicate lower priorities.

lacp system-priority

To set the priority of the system for LACP, use the lacp system-priority command.

lacp system-prioritypriority

Syntax Description

priority

Priority of the system; valid values are from 1 to 65535.

Defaults

Priority is set to 32768.

Command Modes

Global configuration mode

Command History

Release

Modification

12.1(13)EW

This command was introduced on the Catalyst 4500 series switches.

Usage Guidelines

This command is not supported on systems that are configured with a Supervisor Engine I.

You must assign each switch that is running LACP a system priority that can be specified automatically or by entering the lacp system-priority command. The system priority is used with the switch MAC address to form the system ID and is also used during negotiation with other systems.

Although this command is a global configuration command, the priority value is supported on port channels with LACP-enabled physical interfaces.

lldp run

To enable processing of received LLDP control packets and enable transmission of LLDP packets with default or configured TLVs..

lldp run

Syntax Description

This command has no arguments or keywords.

Defaults

LLDP is disabled.

Command Modes

global interface level

Command History

Release

Modification

12.2(44)SG

Support was introduced on the Catalyst 4500 series switch.

Usage Guidelines

Configuring this command enables LLDP protocol on the switch. Unconfiguring it disables processing or transmit of LLDP protocol packets from the switch.

Examples

This example shows how to enable LLDP on the switch:

Switch(config)# lldp run

lldp tlv-select power-management

To to enable power negotiation through LLDP, use the lldp tlv-select power-management interface command.

lldp tlv-select power-management

Syntax Description

This command has no arguments or keywords.

Defaults

Enabled on POEP ports

Command Modes

Interface level

Command History

Release

Modification

12.2(54)SG

Support was introduced on the Catalyst 4500 series switch.

Usage Guidelines

You need to disable this feature if you do not want to perform power negotiation through LLDP.

This feature is not supported on non-POEP ports; the CLI is suppressed on such ports and TLV is not exchanged.

Examples

This example shows how to enable LLDP power negotiation on interface Gigabit Ethernet 3/1:

Switch# config t

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)# int gi 3/1

Switch(config-if)# lldp tlv-select power-management

Related Commands

Command

Description

lldp run

Cisco IOS Command Reference library.

logging event link-status global (global configuration)

To change the default switch-wide global link-status event messaging settings, use the loggingeventlink-statusglobal command. Use the no form of this command to disable the link-status event messaging.

loggingeventlink-statusglobal

nologgingeventlink-statusglobal

Syntax Description

This command has no arguments or keywords.

Defaults

The global link-status messaging is disabled.

Command Modes

Global configuration mode

Command History

Release

Modification

12.2(25)SG

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

If link-status logging event is not configured at the interface level, this global link-status setting takes effect for each interface.

Examples

This example shows how to globally enable link status message on each interface:

Switch# config terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)# logging event link-status global

Switch(config)# end

Switch#

Related Commands

logging event link-status (interface configuration)

To enable the link-status event messaging on an interface, use the loggingeventlink-status command. Use the no form of this command to disable link-status event messaging. Use the loggingeventlink-statususe-globalcommand to apply the global link-status setting.

loggingeventlink-status

nologgingeventlink-status

loggingeventlink-statususe-global

Defaults

Global link-status messaging is enabled.

Command Modes

Interface configuration mode

Command History

Release

Modification

12.2(25)SG

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

To enable system logging of interface state-change events on a specific interface, enter the loggingeventlink-status command in interface configuration mode.

To enable system logging of interface state-change events on all interfaces in the system, enter the loggingeventlink-statusglobal command in global configuration mode. All interfaces without the state change event configuration use the global setting.

Examples

This example shows how to enable logging event state-change events on interface gi11/1:

Switch# config terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)# interface gi11/1

Switch(config-if)# logging event link-status

Switch(config-if)# end

Switch#

This example shows how to turn off logging event link status regardless of the global setting:

Switch# config terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)# interface gi11/1

Switch(config-if)# no logging event link-status

Switch(config-if)# end

Switch#

This example shows how to enable the global event link-status setting on interface gi11/1:

Related Commands

logging event trunk-status (interface configuration)

To enable the trunk-status event messaging on an interface, use the loggingeventtrunk-status command. Use the no form of this command to disable the trunk-status event messaging. Use the loggingeventtrunk-statususe-globalcommand to apply the global trunk-status setting.

loggingeventtrunk-status

no loggingeventtrunk-status

loggingeventtrunk-statususe-global

Defaults

Global trunk-status messaging is enabled.

Command Modes

Interface configuration mode

Command History

Release

Modification

12.2(25)SG

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

To enable system logging of interface state-change events on a specific interface, enter the loggingeventtrunk-status command in interface configuration mode.

To enable system logging of interface state-change events on all interfaces in the system, enter the loggingeventtrunk-statususe-global command in global configuration mode. All interfaces without the state change event configuration use the global setting.

Examples

This example shows how to enable logging event state-change events on interface gi11/1:

Switch# config terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)# interface gi11/1

Switch(config-if)# logging event trunk-status

Switch(config-if)# end

Switch#

This example shows how to turn off logging event trunk status regardless of the global setting:

Switch# config terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)# interface gi11/1

Switch(config-if)# no logging event trunk-status

Switch(config-if)# end

Switch#

This example shows how to enable the global event trunk-status setting on interface gi11/1:

Related Commands

mab

To enable and configure MAC authorization bypass (MAB) on a port, use the mab command in interface configuration mode. To disable MAB, use the no form of this command.

mab [eap]

no mab [eap]

Note The mab command is totally independent of the effect of the dot1x system-auth control command.

Syntax Description

eap

(Optional) Specifies that a full EAP conversation should be used, as opposed to standard RADIUS Access-Request, Access-Accept conversation.

Command Default

Disabled

Command Modes

Interface configuration mode

Command History

Release

Modification

12.2(50)SG

Support for this command was introduced.

Usage Guidelines

When a port is configured for MAB as a fallback method, it operates in a typical dot1X method until a configurable number of failed attempts to request the identity of the host. The authenticator learns the MAC address of the host and uses that information to query an authentication server to see whether this MAC address will be granted access.

Examples

The following example shows how to enable MAB on a port:

Switch(config-if)# mab

Switch(config-if)#

The following example shows how to enable and configure MAB on a port:

When you enter the src-mac mask or dest-mac mask value, follow these guidelines:

•Enter the MAC addresses as three 4-byte values in dotted hexadecimal format such as 0030.9629.9f84.

•Enter the MAC address masks as three 4-byte values in dotted hexadecimal format. Use 1 bit as a wildcard. For example, to match an address exactly, use 0000.0000.0000 (can be entered as 0.0.0).

•For the optional protocol parameter, you can enter either the EtherType or the keyword.

•Entries without a protocol parameter match any protocol.

•The access list entries are scanned in the order that you enter them. The first matching entry is used. To improve performance, place the most commonly used entries near the beginning of the access list.

•An implicit deny any any entry exists at the end of an access list unless you include an explicit permit any any entry at the end of the list.

•All new entries to an existing list are placed at the end of the list. You cannot add entries to the middle of a list.

Examples

This example shows how to create a MAC layer access list named mac_layer that denies traffic from 0000.4700.0001, which is going to 0000.4700.0009, and permits all other traffic:

Related Commands

mac-address-table dynamic group protocols

To enable the learning of MAC addresses in both the "ip" and "other" protocol buckets, even though the incoming packet may belong to only one of the protocol buckets, use the mac-address-tabledynamicgroupprotocols command. To disable grouped learning, use thenoform of this command.

mac-address-tabledynamicgroupprotocols {ip | other} {ip | other}

nomac-address-tabledynamicgroupprotocols {ip | other} {ip | other}

Syntax Description

ip

Specifies the "ip" protocol bucket.

other

Specifies the "other" protocol bucket.

Defaults

The group learning feature is disabled.

Command Modes

Global configuration mode

Command History

Release

Modification

12.2(18)EW

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

The entries within the "ip" and "other" protocol buckets are created according to the protocol of the incoming traffic.

When you use the mac-address-table dynamic group protocols command, an incoming MAC address that might belong to either the "ip" or the "other" protocol bucket, is learned on both protocol buckets. Therefore, any traffic destined to this MAC address and belonging to any of the protocol buckets is unicasted to that MAC address, rather than flooded. This reduces the unicast Layer 2 flooding that might be caused if the incoming traffic from a host belongs to a different protocol bucket than the traffic that is destined to the sending host.

Examples

This example shows that the MAC addresses are initially assigned to either the "ip" or the "other" protocol bucket:

mac address-table learning vlan

To enable MAC address learning on a VLAN, use the mac address-table learning global configuration command. Use the no form of this command to disable MAC address learning on a VLAN to control which VLANs can learn MAC addresses.

mac address-table learning vlan vlan-id

no mac address-table learning vlan vlan-id

Syntax Description

vlan-id

Specifies a single VLAN ID or a range of VLAN IDs separated by a hyphen or comma. Valid VLAN IDs are 1 to 4094.

Defaults

Enabled on all VLANs

Command Modes

Global configuration

Command History

Release

Modification

12.2(54)SG

This command was modified to support the disable learning feature on the Catalyst 4500 series switch.

Usage Guidelines

When you control MAC address learning on a VLAN, you can manage the available table space by controlling which VLANs, and which ports can learn MAC addresses.

Before you disable MAC address learning, familiarize yourself with the network topology and the switch system configuration. If you disable MAC address learning on a VLAN, flooding may occur in the network. For example, if you disable MAC address learning on a VLAN with a configured switch virtual interface (SVI), the switch floods all IP packets in the Layer 2 domain. If you disable MAC address learning on a VLAN that includes more than two ports, every packet entering the switch is flooded in that VLAN domain. Disable MAC address learning only in VLANs that contain two ports. Use caution before disabling MAC address learning on a VLAN with an SVI.

You cannot disable MAC address learning on a VLAN that the switch uses internally. This action causes the switch to generate an error message and rejects the no mac address-table learning vlan command. To view used internal VLANs, enter the show vlan internal usage privileged EXEC command.

If you disable MAC address learning on a VLAN configured as a PVLAN primary or a secondary VLAN, the MAC addresses are still learned on the VLAN (primary or secondary) associated with the PVLAN.

You cannot disable MAC address learning on an RSPAN VLAN. The configuration is not allowed.

If you disable MAC address learning on a VLAN that includes a secure port, MAC address learning is not disabled on the secure port. If you later disable port security on the interface, the disabled MAC address learning state is enabled.

To display the MAC address learning status of a specific VLAN or for all VLANs, enter the show mac-address-table learningvlan command.

Usage Guidelines

You can enable the MAC change notification feature using the mac-address-table notification change command. If you do this, you must also enable MAC notification traps on an interface using the snmp trap mac-notification change interface configuration command and configure the switch to send MAC change traps to the NMS using the snmp-server enable traps mac-notification global configuration command.

When the history-size option is configured, the existing MAC change history table is deleted, and a new table is created.

Examples

This example shows how to set the MAC address notification history table size to 300 entries:

mac-address-table static

To configure the static MAC addresses for a VLAN interface or drop unicast traffic for a MAC address for a VLAN interface, use the mac-address-table static command. To remove the static MAC address configurations, use the no form of this command.

Syntax Description

Interface type and number; valid options are FastEthernet and GigabitEthernet.

drop

Drops all traffic received from and going to the configured MAC address in the specified VLAN.

Defaults

This command has no default settings.

Command Modes

Global configuration mode

Command History

Release

Modification

12.1(13)EW

Support for this command was introduced on the Catalyst 4500 series switches.

Usage Guidelines

When a static MAC address is installed, it is associated with a port.

The output interface specified must be a Layer 2 interface and not an SVI.

If you do not enter a protocol type, an entry is automatically created for each of the four protocol types.

Entering the no form of this command does not remove the system MAC addresses.

When removing a MAC address, entering interfaceint is optional. For unicast entries, the entry is removed automatically. For multicast entries, if you do not specify an interface, the entire entry is removed. You can specify the selected ports to be removed by specifying the interface.

Examples

This example shows how to add the static entries to the MAC address table:

Related Commands

macro apply cisco-desktop

To enable the Cisco-recommended features and settings that are suitable for connecting a switch port to a standard desktop, use the macro apply cisco-desktop command.

macro apply cisco-desktop $AVID access_vlanid

Syntax Description

$AVID access_vlanid

Specifies an access VLAN ID.

Defaults

This command has no default settings.

Command Modes

Interface configuration mode

Command History

Release

Modification

12.2(18)EW

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

This command can only be viewed and applied; it cannot be modified.

Ensure that the existing configuration on the interface does not conflict with the intended macro configuration. Before you apply the macro, clear the configuration on the interface with the default interface command.

Examples

This example shows how to enable the Cisco-recommended features and settings on port fa2/1:

Enables the Cisco-recommended features and settings that are suitable for connecting a switch port to another switch.

macro apply cisco-phone

To enable the Cisco-recommended features and settings that are suitable for connecting a switch port to a standard desktop and a Cisco IP phone, use the macro apply cisco-phone command.

macro apply cisco-phone $AVID access_vlanid$VVIDvoice_vlanid

Syntax Description

$AVID access_vlanid

Specifies an access VLAN ID.

$VVID voice_vlanid

Specifies a voice VLAN ID.

Defaults

This command has no default settings.

Command Modes

Interface configuration mode

Command History

Release

Modification

12.2(18)EW

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

This command can only be viewed and applied; it cannot be modified.

Ensure that the existing configuration on the interface does not conflict with the intended macro configuration. Before you apply the macro, clear the configuration on the interface with the default interface command.

Examples

This example shows how to enable the Cisco-recommended features and settings on port fa2/1:

Enables the Cisco-recommended features and settings that are suitable for connecting a switch port to another switch.

macro apply cisco-router

To enable the Cisco-recommended features and settings that are suitable for connecting a switch port to a router, use the macro apply cisco-router command.

macro apply cisco-router $NVIDnative_vlanid

Syntax Description

$NVID native_vlanid

Specifies a native VLAN ID.

Defaults

This command has no default settings.

Command Modes

Interface configuration mode

Command History

Release

Modification

12.2(18)EW

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

This command can only be viewed and applied; it cannot be modified.

Ensure that the existing configuration on the interface does not conflict with the intended macro configuration. Before you apply the macro apply cisco-router command, clear the configuration on the interface with the default interface command.

Examples

This example shows how to enable the Cisco-recommended features and settings on port fa2/1:

Enables the Cisco-recommended features and settings that are suitable for connecting a switch port to another switch.

macro apply cisco-switch

To enable the Cisco-recommended features and settings that are suitable for connecting a switch port to another switch, use the macro apply cisco-switch command.

macro apply cisco-switch $NVID native_vlanid

Syntax Description

$NVID native_vlanid

Specifies a native VLAN ID.

Defaults

This command has no default settings.

Command Modes

Interface configuration mode

Command History

Release

Modification

12.2(18)EW

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

This command can only be viewed and applied; it cannot be modified.

Ensure that the existing configuration on the interface does not conflict with the intended macro configuration. Before you apply this macro, clear the configuration on the interface with the default interface command.

Examples

This example shows how to enable the Cisco-recommended features and settings on port fa2/1:

Enables the Cisco-recommended features and settings that are suitable for connecting a switch port to a router.

macro auto device

Use the macro auto device command to simplify changing the parameters for a built-in functions for a device type. Use the no form of this command to revert to the intial parameter values.

macro auto device device_type [params values]

no macro auto device device_type [params values]

Syntax Description

device_type

Specifies the device type.

•phone—Apply interface configs on detecting a phone

•switch—Apply interface configs on detecting a switch

•router—Apply interface configs on detecting a router

•ap—Apply interface configs on detecting an ap

•lwap—Apply interface configs on detecting a light weight ap

•dmp—Apply interface configs on detecting a DMP

•ipvsc—Apply interface configs on detecting a IPVSC

param name=value

(Optional) parameter=value—Replace default values that begin with $. Enter new values in the form of name value pair separated by a space: [<name1>=<value1> <name2>=<value2>...]. Default values are shown in parenthesis.

Command Modes

Global configuration

Command History

Release

Modification

12.2(54)SG

This command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

Although you can use the macro auto execute command to produce the same effect as the macro auto device command, the later is simpler.

Examples

This example shows how to change the access VLAN and voice VLAN from their default value to user defined values for phone devices.

macro auto execute (built-in function)

Use the macro auto execute configuration command to change built-in function default values or to map user-defined triggers to built-in functions and to pass the parameter values. Use the no form of this command to unmap the trigger.

You can also create user-defined triggers and use this command to map the triggers to builtin functions.

You can create user-defined event triggers by entering the shell trigger global configuration command. Use the show shell privileged EXEC command to display the contents of the builtin and user-defined triggers and functions.

Examples

This example shows how to use two built-in Auto Smartports macros for connecting Cisco switches and Cisco IP phones to the switch. It modifies the default voice VLAN, access VLAN, and native VLAN for the trunk interface:

Switch# configure terminal

Switch(config)#!!! the next command modifies the access and voice vlans

Switch(config)#!!! for the built in Cisco IP phone auto smartport macro

macro auto execute (user-defined function)

Use the macro auto execute configuration command to map a trigger to a user-defined function. Use the no form of this command to unmap the trigger.

macro auto executetrigger_name [param_name=value] {function body}

no macro auto executetrigger_name [param_name=value]

Syntax Description

trigger_name

Specifies the trigger name.

param name=value

(Optional) Specifies values for the parameters that are to be used in the function body.

function_body

Shell functions with CLIs.

Defaults

None.

Command Modes

Global configuration

Command History

Release

Modification

12.2(54)SG

This command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

Because the function defined in this command does not have a name, you cannot use it to map to
another trigger. This is the only way that you can map a trigger to a user defined function. Shell
functions defined in the non-configure mode can not be used to map triggers.

Examples

This example shows how to map the user-defined event trigger Cisco Digital Media Player (DMP) to a user-defined macro.

a. Connect the DMP to an 802.1x- or MAB-enabled switch port.

b. On the RADIUS server, set the attribute-value pair to auto-smart-port=CISCO_DMP_EVENT.

macro auto global processing

Use the macro auto global processing global configuration command to enable Auto SmartPorts macros on the switch. Use the no form of this command to disable Auto SmartPorts (ASP) macros globally.

macro auto globalprocessing [fallback cdp] [fallbacklldp]

no macro auto globalprocessing [fallback cdp] [fallbacklldp]

Syntax Description

fallback cdp

Selects CDP as fallback mode.

fallback lldp

Selects LLDP as fallback mode.

Defaults

Auto Smartports is disabled.

Command Modes

Global configuration

Command History

Release

Modification

12.2(54)SG

This command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

Use the macro auto global processing global configuration command to globally enable Auto Smartports macros on the switch. To disable ASP macros on a specific port, use the nomacro auto processing command in the interface mode before ASP is enabled globally.

Auto Smartports macros dynamically configure ports based on the device type detected on the port. When the switch detects a new device on a port it applies the appropriate ASP macro. When a link-down event occurs on a port, the switch removes the macro. For example, when you connect a Cisco IP phone to a port, ASP automatically applies the IP phone macro. The IP phone macro enables quality of service (QoS), security features, and a dedicated voice VLAN to ensure proper treatment of delay-sensitive voice traffic.

ASP uses event triggers to map devices to macros. The most common event triggers are based on Cisco Discovery Protocol (CDP) messages received from connected devices. The detection of a device invokes a CDP event trigger: Cisco IP phone, Cisco wireless access point, Cisco switch, or Cisco router. Other event triggers use MAC authentication bypass (MAB) and 802.1X authentication messages.

Use CDP if port authentication is enabled and the RADIUS server does not send an event trigger.

Select LLDP to apply auto configuration if authentication fails.

If authentication is enabled on a port, a switch ignores CDP and LLDP messages unless the fallback cdp keyword is enabled.

When using 802.1X or MAB authentication, configure the RADIUS server to support the Cisco attribute-value (AV) pair auto-smart-port=event trigger.

To verify that an ASP macro is applied to an interface, use the showrunning config command.

The macro auto global processing fallback cdp and macro auto global processing fallback lldp commandsenables ASP globally if it is not already enabled, and set the fallback to CDP or LLDP, respectively. However, the no macro auto global processing fallback [cdp | lldp] command only removes the fallback mechanism. It does not disable ASP globally; only the no macro auto global processing command disables ASP globally.

The keywords fallback cdp and fallback lldp arealso controlled at the interface level; by default, CDP is the fallback mechanism on an interface. If you prefer LLDP, first enter the no macro auto processing fallback cdp command, then enter the macro auto processing fallback lldp command.

If you want to activate both CDP and LLDP, you must enable them in sequence. For example, you would first enter the macro auto processing fallback cdp command, then the macro auto processing fallback lldp command.

Examples

This example shows how enable ASP on a switch and to disable the feature on Gi1/0/1:

macro auto processing

Note Only use this command when Auto SmartPorts (ASP) is enabled globally; when ASP is disabled globally, interface-level control has no effect.

Use the macro auto processing interface configuration command to enable ASP macros on a specific interface. Use the no form of this command to disable ASP on a specific interface before ASP is enabled globally.

macro auto processing [fallback cdp] [fallback lldp]

no macro auto processing [fallback cdp] [fallback lldp]

Syntax Description

fallback cdp

Specifies as CDP as the fallback mechanism.

fallback lldp

Specifies as LLDP as the fallback mechanism.

Defaults

Fallback mechanism is CDP.

Command Modes

Interface level configuration

Command History

Release

Modification

12.2(54)SG

This command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

The no macro auto processing command should be configured on all interfaces where ASP is not desirable (such as Layer 3 and EtherChannel interfaces) before ASP is enabled globally.

At the interface level, the default fallback mechanism is CDP. To change the mechanism to LLDP, enter the no macro auto processing fallback cdp command, followed by the macro auto processing fallback lldp command.

macro auto sticky

Use the macro auto sticky configuration to specify not to remove configurations applied by ASP across link flaps and device removal.

macro auto sticky

Syntax Description

This command has no arguments or keywords.

Defaults

Not sticky (macros are removed

Command Modes

Global configuration

Command History

Release

Modification

12.2(54)SG

This command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

This command enables you to avoid unnecessary removal of ASP configurations when a feature intentionally shuts down a link (like EnergyWise, which shuts down inactive links to save energy). When such a feature is enabled, you don't want ASP macros to be applied and removed unnecessarily. So you configure the sticky feature.

Related Commands

macro global description

To enter a description about the macros that are applied to the switch, use the macro global description global configuration command on the switch stack or on a standalone switch. Use the no form of this command to remove the description.

macro global description text

no macroglobal description text

Syntax Description

text

Enters a description about the macros that are applied to the switch.

Defaults

This command has no default setting.

Command Modes

Global configuration mode

Command History

Release

Modification

12.2(31)SG

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

This command associates comment text, or the macro name, with a switch. When multiple macros are applied on a switch, the description text will be from the last applied macro.

Examples

This example shows how to add a description to a switch:

Switch(config)# macro global description udld aggressive mode enabled

You can verify your settings by entering the show parser macro description privileged EXEC command.

Related Commands

main-cpu

To enter the main CPU submode and manually synchronize the configurations on the two supervisor engines, use the main-cpu command.

main-cpu

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Redundancy mode

Command History

Release

Modification

12.1(12c)EW

Support for this command was introduced on the Catalyst 4500 series switch. (Catalyst 4507R only).

Usage Guidelines

The main CPU submode is used to manually synchronize the configurations on the two supervisor engines. From the main CPU submode, use the auto-sync command to enable automatic synchronization of the configuration files in NVRAM.

Note After you enter the main CPU submode, you can use the auto-sync command to automatically synchronize the configuration between the primary and secondary route processors based on the primary configuration. In addition, you can use all of the redundancy commands that are applicable to the main CPU.

Examples

This example shows how to reenable the default automatic synchronization feature using the auto-sync standard command to synchronize the startup-config and config-register configuration of the active supervisor engine with the standby supervisor engine. The updates for the boot variables are automatic and cannot be disabled.

Syntax Description

access-groupacl-index-or-name

Number or name of an IP standard or extended access control list (ACL) or MAC ACL. For an IP standard ACL, the ACL index range is 1 to 99 and 1300 to 1999. For an IP extended ACL, the ACL index range is 100 to 199 and 2000 to 2699.

coscos-list

Lists up to four Layer 2 class of service (CoS) values to match against a packet. Separate each value with a space. The range is 0 to 7.

[lp] dscpdscp-list

(Optional) IP keyword. It specifies that the match is for IPv4 packets only. If not used, the match is for both IPv4 and IPv6 packets.

Lists up to eight IP Differentiated Services Code Point (DSCP) values to match against a packet. Separate each value with a space. The range is 0 to 63. You also can enter a mnemonic name for a commonly used value.

[lp] precedenceip-precedence-list

(Optional) IP keyword. It specifies that the match is for IPv4 packets only. If not used, the match is for both IPv4 and IPv6 packets.

Lists up to eight IP-precedence values to match against a packet. Separate each value with a space. The range is 0 to 7. You also can enter a mnemonic name for a commonly used value.

qos-groupvalue

Specifies the internally generated qos-group value assigned to a packet on the input qos classification.

protocol ip

Specifies IP in the Ethernet header. The match criteria are supported on the Supervisor Engine 6-E and Catalyst 4900M chassis. Though visible in the command-line help strings, the only protocol types supported are IP, IPv6, and ARP.

protocol ipv6

Specifies IPv6 in the Ethernet header. The match criteria are supported on the Supervisor Engine 6-E and Catalyst 4900M chassis. Though visible in the command-line help strings the only protocol types supported are IP, IPv6, and ARP.

protocol arp

Specifies ARP in the Ethernet header. The match criteria are supported on the Supervisor Engine 6-E and Catalyst 4900M chassis. Though visible in the command-line help strings the only protocol types supported are IP, IPv6, and ARP.

Defaults

No match criteria are defined.

Command Modes

Class-map configuration mode

Command History

Release

Modification

12.1(8a)EW

Support for this command was introduced on the Catalyst 4500 series switches.

12.2(40)SG

Added support for the Supervisor Engine 6-E and Catalyst 4900M chassis.

12.2(46)SG

Added support for the match protocol arp command on the Supervisor Engine 6-E and Catalyst 4900M chassis.

Usage Guidelines

Before entering the match command, you must first enter the class-map global configuration command to specify the name of the class whose match criteria you want to establish. The match command is used to specify which fields in the packets are examined to classify the packets. If a packet matches the specified criteria, the packet is considered a member of the class and is forwarded according to the quality of service (QoS) specifications set in the traffic policy.

For the matchip dscpdscp-listor the matchip precedenceip-precedence-list command, you can enter a mnemonic name for a commonly used value. For example, you can enter the matchip dscp af11 command, which is the same as entering the matchip dscp 10 command. You can enter the matchip precedence critical command, which is the same as entering the matchip precedence 5 command. For a list of supported mnemonics, enter the matchip dscp ? or the matchip precedence ? command to see the command-line help strings.

To match only IPv6 packets, you must use the match protocol ipv6 command. To match only IPv4 packets you can use either the ip prefix or the protocol ip keyword.

To match only ARP packets, you must use the match protocol arp command.

You can configure the match coscos-list, match ip dscpdscp-list, match ip precedenceip-precedence-list command in a class map within a policy map.

The match coscos-list command applies only to Ethernet frames that carry a VLAN tag.

The match qos-group command is used by the class-map to identify a specific QoS group value assigned to a packet. The QoS group value is local to the switch and is associated with a packet on the input Qos classification.

Packets that do not meet any of the matching criteria are classified as members of the default traffic class. You configure it by specifying class-default as the class name in the class policy-map configuration command. For more information, see the "class" section.

Examples

This example shows how to create a class map called class2, which matches all the inbound traffic with DSCP values of 10, 11, and 12:

Switch# configure terminal

Switch(config)# class-map class2

Switch(config-cmap)# match ip dscp 10 11 12

Switch(config-cmap)# exit

Switch#

This example shows how to create a class map called class3, which matches all the inbound traffic with IP-precedence values of 5, 6, and 7 for both IPv4 and IPv6 traffic:

Switch# configure terminal

Switch(config)# class-map class3

Switch(config-cmap)# match ip precedence 5 6 7

Switch(config-cmap)# exit

Switch#

This example shows how to delete the IP-precedence match criteria and to classify traffic using acl1:

Switch# configure terminal

Switch(config)# class-map class2

Switch(config-cmap)# match ip precedence 5 6 7

Switch(config-cmap)# no match ip precedence

Switch(config-cmap)# match access-group acl1

Switch(config-cmap)# exit

Switch#

This example shows how to specify a class-map that applies only to IPv6 traffic on a Supervisor Engine 6-E:

Switch# configure terminal

Switch(config)# class-map match all ipv6 only

Switch(config-cmap)# match dscp af21

Switch(config-cmap)# match protocol ipv6

Switch(config-cmap)# exit

Switch#

You can verify your settings by entering the show class-map privileged EXEC command.

Syntax Description

(Optional) Comprises the full flow keyword; treats each flow with unique IP source, destination, protocol, and Layer 4 source and destination address as a new flow.

destination-address

Establishes a new flow from a flow with a unique IP destination address.

Defaults

This command has no default settings..

Command Modes

class-map configuration submode

Command History

Release

Modification

12.2(25)EW

Support for this command was introduced on the Catalyst 4500 series switch.

12.2(25)SG

Support for the full flow option was added.

Usage Guidelines

When you specify the source-address keyword, each flow with a unique source address is treated as a new flow.

When you specify the destination-address keyword, each flow with a unique destination address is treated as a new flow.

A policy map is called a flow-based policy map when you configure the flow keywords on the class map that it uses. To attach a flow-based policy map as a child to an aggregate policy map, use theservice-policycommand.

Note Thematchflowcommand is available on the Catalyst 4500 series switch only when Supervisor Engine VI (WS-X4516-10GE) is present.

Examples

This example shows how to create a flow-based class map associated with a source address:

Switch(config)# class-map match-all c1

Switch(config-cmap)# match flow ip source-address

Switch(config-cmap)# end

Switch#

Switch# show class-map c1

Class Map match-all c1 (id 2)

Match flow ip source-address

Switch#

This example shows how to create a flow-based class map associated with a destination address:

Switch(config)# class-map match-all c1

Switch(config-cmap)# match flow ip destination-address

Switch(config-cmap)# end

Switch#

Switch# show class-map c1

Class Map match-all c1 (id 2)

Match flow ip destination-address

Switch#

Assume there are two active flows on the Fast Ethernet interface 6/1 with source addresses 192.168.10.20 and 192.168.10.21. The following example shows how to maintain each flow to 1 Mbps with an allowed burst value of 9000 bytes:

Switch# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)# class-map c1

Switch(config-cmap)# match flow ip source-address

Switch(config-cmap)# exit

Switch(config)# policy-map p1

Switch(config-pmap)# class c1

Switch(config-pmap-c)# police 1000000 9000

Switch(config-pmap-c)# exit

Switch(config-pmap)# exit

Switch(config)# interface fastethernet6/1

Switch(config-if)# service-policy input p1

Switch(config-if)# end

Switch# write memory

Switch# show policy-map interface

FastEthernet6/1

Service-policy input: p1

Class-map: c1 (match-all)

15432182 packets

Match: flow ip source-address

police: Per-interface

Conform: 64995654 bytes Exceed: 2376965424 bytes

Class-map: class-default (match-any)

0 packets

Match: any

0 packets

Switch#

This example shows two active flows on the Fast Ethernet interface 6/1 with destination addresses of 192.168.20.20 and 192.168.20.21. The following example shows how to maintain each flow to 1 Mbps with an allowed burst value of 9000 bytes:

Switch# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)# class-map c1

Switch(config-cmap)# match flow ip destination-address

Switch(config-cmap)# exit

Switch(config)# policy-map p1

Switch(config-pmap)# class c1

Switch(config-pmap-c)# police 1000000 9000

Switch(config-pmap-c)# exit

Switch(config-pmap)# exit

Switch(config)# interface fastethernet6/1

Switch(config-if)# service-policy input p1

Switch(config-if)# end

Switch# write memory

Switch# show policy-map interface

FastEthernet6/1

Service-policy input: p1

Class-map: c1 (match-all)

2965072 packets

Match: flow ip destination-address

police: Per-interface

Conform: 6105636 bytes Exceed: 476652528 bytes

Class-map: class-default (match-any)

0 packets

Match: any

0 packets

Switch#

Assume there are two active flows as shown below on the Fast Ethernet interface 6/1:

SrcIp DstIp IpProt SrcL4Port DstL4Port

--------------------------------------------------------

192.168.10.10 192.168.20.20 20 6789 81

192.168.10.10 192.168.20.20 20 6789 21

With the following configuration, each flow is policed to a 1000000 bps with an allowed 9000-byte burst value.

Note If you use the matchflowipsource-address|destination-address command, these two flows are consolidated into one flow because they have the same source and destination address.

Displays the statistics and configurations of the input and output policies that are attached to an interface.

mdix auto

To enable the automatic medium-dependent interface crossover (auto-MDIX) feature on the interface, use the mdix auto command. When auto-MDIX is enabled, the interface automatically detects the required cable connection type (straight-through or crossover) and configures the connection appropriately. Use the no form of this command to disable auto-MDIX.

mdix auto

no mdix auto

Syntax Description

This command has no arguments or keywords.

Defaults

Auto-MDIX is enabled.

Command Modes

Interface configuration mode

Command History

Release

Modification

12.2(31)SGA

Support for this command was introduced on the Catalyst 4500 series switch.

12.2(46)SG

Added supported and unsupported linecard information to the usage guidelines.

Usage Guidelines

The following linecards support Auto-MDIX through the CLI on their copper media ports: WS-X4124-RJ45, WS-X4148-RJ45 (hardware revision 3.0 or higher), and WS-X4232-GB-RJ45 (hardware revision 3.0, or higher), WS-X4920-GE-RJ45, and WS-4648-RJ45V+E (Auto-MDIX support when inline power is disabled on the port).

Linecards that support auto-MDIX by default when port auto-negotiation enabled and cannot be turned off using an mdix CLI command include: WS-X4448-GB-RJ45, WS-X4548-GB-RJ45, WS-X4424-GB-RJ45, and WS-X4412-2GB-T.

media-type

To select the connector for a dual-mode capable port, use the media-type command.

media-type {rj45 | sfp}

Syntax Description

rj45

Uses the RJ-45 connector.

sfp

Uses the SFP connector.

Defaults

sfp

Command Modes

Interface configuration mode

Command History

Release

Modification

12.2(20)EWA

Support for this command was introduced for the WS-X4306-GB-T module and the WS-X4948 chassis.

Usage Guidelines

This command is supported on all ports on the WS-X4306-GB-T module and ports 1/45-48 on the WS-X4948 chassis.

Entering the showinterfacecapabilities command provides the Multiple Media Types field, which displays the value no if a port is not dual-mode capable and lists the media types (sfp and rj45) for dual-mode capable ports.

Examples

This example shows how to configure port 5/45 on a WS-X4948 chassis to use the RJ-45 connector:

Switch(config)# interface gigabitethernet 5/45

Switch(config-if)# media-type rj45

mode

To set the redundancy mode, use the mode command.

mode {rpr | sso}

Syntax Description

rpr

Specifies RPR mode.

sso

Specifies SSO mode.

Defaults

For Catalyst 4500 series switches that are configured with Supervisor Engine II+, Supervisor Engine IV, and Supervisor Engine V, the defaults are as follows:

•SSO if the supervisor engine is using Cisco IOS Release 12.2(20)EWA.

•RPR if the supervisor engine is using Cisco IOS Release 12.1(12c)EW through 12.2(18)EW, as well as 12.1(xx)E.

Note If you are upgrading the current supervisor engine from Cisco IOS Release 12.2(18)EW or an earlier release to 12.2(20)EWA, and the RPR mode has been saved to the startup configuration, both supervisor engines will continue to operate in RPR mode after the software upgrade. To use SSO mode, you must manually change the redundancy mode to SSO.

Command Modes

Redundancy configuration mode

Command History

Release

Modification

12.2(20)EWA

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

RPR and SSO mode are not supported on Catalyst 4500 series switches that are configured with Supervisor Engine 2.

The mode command can be entered only from within redundancy configuration mode.

Follow these guidelines when configuring your system to RPR or SSO mode:

•You must use identical Cisco IOS images and supervisor engines to support RPR and SSO mode. Redundancy may not work due to differences between the Cisco IOS release and supervisor engine capabilities.

•Any modules that are not online at the time of a switchover are reset and reloaded on a switchover.

•If you perform an OIR of the module within 60 seconds before a stateful switchover, the module resets during the stateful switchover and the port states are restarted.

•The FIB tables are cleared on a switchover. Routed traffic is interrupted until route tables reconverge.

The redundant supervisor engine reloads on any mode change and begins to work in the current mode.

monitor session

To enable the SPAN sessions on interfaces or VLANs, use the monitor session command. To remove one or more source or destination interfaces from a SPAN session, or a source VLAN from a SPAN session, use the no form of this command.

Usage Guidelines

Only one SPAN destination for a SPAN session is supported. If you attempt to add another destination interface to a session that already has a destination interface that is configured, you will get an error. You must first remove a SPAN destination interface before changing the SPAN destination to a different interface.

Beginning in Cisco IOS Release 12.1(12c)EW, you can configure sources from different directions within a single user session.

Note Beginning in Cisco IOS Release 12.1(12c)EW, SPAN is limited to two sessions containing ingress sources and four sessions containing egress sources. Bidirectional sources support both ingress and egress sources.

A particular SPAN session can either monitor VLANs or monitor individual interfaces: you cannot have a SPAN session that monitors both specific interfaces and specific VLANs. If you first configure a SPAN session with a source interface, and then try to add a source VLAN to the same SPAN session, you will receive an error. You will also receive an error message if you configure a SPAN session with a source VLAN, and then try to add a source interface to that session. You must first clear any sources for a SPAN session before switching to another type of source. CPU sources may be combined with source interfaces and source VLANs.

When configuring the ingress option on a destination port, you must specify an ingress VLAN if the configured encapsulation type is untagged (the default) or is 802.1Q. If the encapsulation type is ISL, then no ingress VLAN specification is necessary.

By default, when you enable ingress, no host learning is performed on destination ports. When you enter the learning keyword, host learning is performed on the destination port, and traffic to learned hosts is forwarded out the destination port.

If you enter the filter keyword on a monitored trunking interface, only traffic on the set of specified VLANs is monitored. Port-channel interfaces are displayed in the list of interface options if you have them configured. VLAN interfaces are not supported. However, you can span a particular VLAN by entering the monitor session session source vlanvlan-id command.

The packet-type filters are supported only in the Rx direction. You can specify both Rx- and Tx-type filters and multiple-type filters at the same time (for example, you can use good and unicast to only sniff nonerror unicast frames). As with VLAN filters, if you do not specify the type, the session will sniff all packet types.

The queue identifier allows sniffing for only traffic that is sent or received on the specified CPU queues. The queues may be identified either by number or by name. The queue names may contain multiple numbered queues for convenience.

Examples

This example shows how to configure IP access group 100 on a SPAN session:

Switch# configure terminal

Switch(config)# monitor session 1 filter ip access-group 100

Switch(config)# end

Switch(config)#

This example shows how to add a source interface to a SPAN session:

Switch# configure terminal

Switch(config)# monitor session 1 source interface fa2/3

Switch(config)# end

Switch(config)#

Switch(config)#

Switch(config)#

This example shows how to configure the sources with different directions within a SPAN session:

Switch# configure terminal

Switch(config)# monitor session 1 source interface fa2/3 rx

Switch(config)# monitor session 1 source interface fa2/2 tx

Switch(config)# end

This example shows how to remove a source interface from a SPAN session:

Switch# configure terminal

Switch(config)# no monitor session 1 source interface fa2/3

Switch(config)# end

This example shows how to limit SPAN traffic to VLANs 100 through 304:

Switch# configure terminal

Switch(config)# monitor session 1 filter vlan 100 - 304

Switch(config)# end

This example shows how to configure RSPAN VLAN 20 as the destination:

Switch# configure terminal

Switch(config)# monitor session 2 destination remote vlan 20

Switch(config)# end

This example shows how to use queue names and queue number ranges for the CPU as a SPAN source on Supervisor Engine 6-E:

Switch# configure terminal

Switch(config)# monitor session 2 source cpu queue control-packet rx

Switch(config)# monitor session 3 source cpu queue 10 rx

Switch(config)# end

Note For Supervisor Engine 6-E, control-packet is mapped to queue 10.

Related Commands

mtu

To enable jumbo frames on an interface by adjusting the maximum size of a packet or maximum transmission unit (MTU), use the mtu command. To return to the default setting, use the no form of this command.

mtu bytes

no mtu

Syntax Description

bytes

Byte size; valid values are from 1500 to 9198.

Defaults

The default settings are as follows:

•Jumbo frames are disabled

•1500 bytes for all ports

Command Modes

Interface configuration mode

Command History

Release

Modification

12.1(13)EW

Support for this command was introduced on the Catalyst 4500 series switches.

Usage Guidelines

Jumbo frames are supported on nonblocking Gigabit Ethernet ports, switch virtual interfaces (SVI), and EtherChannels. Jumbo frames are not available for stub-based ports.

The baby giants feature uses the global system mtusize command to set the global baby giant MTU. It allows all stub-based port interfaces to support an Ethernet payload size of up to 1552 bytes.

Both the system mtu command and the per-interface mtu command work on interfaces that can support jumbo frames, but the per-interface mtu command takes precedence.

nmsp

To configure Network Mobility Services Protocol (NMSP) on the switch, use the nmsp command. This command is available only when your switch is running the cryptographic (encrypted) software image. Use the no form of this command to return to the default setting.

nmsp attachment suppress

To suppress reporting attachment information from a specified interface, use the nmsp attachment suppress interface command. This command is available only when your switch is running the cryptographic (encrypted) software image. Use the no form of this command to report attachment information.

nmsp attachment suppress

no nmsp attachment suppress

Syntax Description

This command has no arguments or keywords.

Defaults

Attachment information is reported.

Command Modes

Interface configuration mode

Command History

Release

Modification

12.2(52)SG

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

Use the nmsp attachment suppress interface configuration command to configure an interface to not send attachment notifications to a Cisco Mobility Services Engine (MSE).

Examples

This example shows how to configure an interface to not send attachment information to the MSE:

Syntax Description

Specifies the range of subinterfaces being configured; see the "Usage Guidelines" section.

Defaults

Routing updates are sent on the interface.

Command Modes

Router configuration mode

Command History

Release

Modification

12.2(31)SG

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

You can use the passive-interface range command on the following interfaces: FastEthernet, GigabitEthernet, VLAN, Loopback, Port-channel, 10-GigabitEthernet, and Tunnel. When you use the passive-interface range command on a VLAN interface, the interface should be the existing VLAN SVIs. To display the VLAN SVIs, enter the show running config command. The VLANs that are not displayed cannot be used in the passive-interface range command.

The values that are entered with the passive-interface range command are applied to all the existing VLAN SVIs.

All configuration changes that are made to a port range through the passive-interface range command are retained in the running-configuration as individual passive-interface commands.

You can enter the range in two ways:

•Specifying up to five interface ranges

•Specifying a previously defined macro

You can either specify the interfaces or the name of an interface-range macro. An interface range must consist of the same interface type, and the interfaces within a range cannot span across the modules.

You can define up to five interface ranges on a single command; separate each range with a comma:

interface range gigabitethernet 5/1-20, gigabitethernet4/5-20.

Use this format when entering the port-range:

•interface-type {mod}/{first-port} - {last-port}

You cannot specify both a macro and an interface range in the same command. After creating a macro, you can enter additional ranges. If you have already entered an interface range, the CLI does not allow you to enter a macro.

You can specify a single interface in the range range value. This makes the command similar to the passive-interfaceinterface-number command.

Note The range keyword is only supported in OSPF, EIGRP, RIP, and ISIS router mode.

If you disable the sending of routing updates on an interface, the particular subnet will continue to be advertised to other interfaces, and updates from other routers on that interface continue to be received and processed.

The default keyword sets all interfaces as passive by default. You can then configure individual interfaces where adjacencies are desired using the no passive-interface command. The default keyword is useful in Internet service provider (ISP) and large enterprise networks where many of the distribution routers have more than 200 interfaces.

For the Open Shortest Path First (OSPF) protocol, OSPF routing information is neither sent nor received through the specified router interface. The specified interface address appears as a stub network in the OSPF domain.

For the Intermediate System-to-Intermediate System (IS-IS) protocol, this command instructs IS-IS to advertise the IP addresses for the specified interface without actually running IS-IS on that interface. The no form of this command for IS-IS disables advertising IP addresses for the specified address.

Note For IS-IS you must keep at least one active interface and configure the interface with the ip router isis command.

Enhanced Interior Gateway Routing Protocol (EIGRP) is disabled on an interface that is configured as passive although it advertises the route.

Examples

The following example sends EIGRP updates to all interfaces on network 10.108.0.0 except GigabitEthernet interface 1/1:

Switch(config)# interface gigabitethernet 1/1

Switch(config-if)# router eigrp 109

Switch(config-router)# network 10.108.0.0

Switch(config-router)# passive-interface gigabitethernet 1/1

Switch(config-router)#

The following configuration enables IS-IS on Ethernet interface 1 and serial interface 0 and advertises the IP addresses of Ethernet interface 0 in its link-state protocol data units (PDUs):

Switch(config-if)# router isis Finance

Switch(config-router)# passive-interface Ethernet 0

Switch(config-router)# interface Ethernet 1

Switch(config-router)# ip router isis Finance

Switch(config-router)# interface serial 0

Switch(config-router)# ip router isis Finance

Switch(config-router)#

The following example sets all interfaces as passive, then activates Ethernet interface 0:

Switch(config-if)# router ospf 100

Switch(config-router)# passive-interface default

Switch(config-router)# no passive-interface ethernet0

Switch(config-router)# network 10.108.0.1 0.0.0.255 area 0

Switch(config-router)#

The following configuration sets the Ethernet ports 3 through 4 on module 0 and GigabitEthernet ports 4 through 7 on module 1 as passive:

Command History

This command was introduced on the Catalyst 4500 series switch using a Supervisor Engine 6E.

Usage Guidelines

Use the police command to mark a packet with different quality of service (QoS) values based on conformance to the service-level agreement.

Traffic policing will not be executed for traffic that passes through an interface.

Specifying Multiple Actions

The police command allows you to specify multiple policing actions. When specifying multiple policing actions when configuring the police command, note the following points:

•You can specify a maximum of four actions at one time.

•You cannot specify contradictory actions such as conform-actiontransmit and conform-actiondrop.

Using the Police Command with the Traffic Policing Feature

The police command can be used with Traffic Policing feature. The Traffic Policing feature works with a token bucket algorithm. Two types of token bucket algorithms are a single-token bucket algorithm and a two-token bucket algorithm. A single-token bucket system is used when the violate-action option is not specified, and a two-token bucket system is used when the violate-action option is specified.

Token Bucket Algorithm with One Token Bucket

The one token bucket algorithm is used when the violate-action option is not specified in the police command of the command-line interface (CLI).

The conform bucket is initially set to the full size (the full size is the number of bytes specified as the normal burst size).

When a packet of a given size (for example, "B" bytes) arrives at specific time (time "T") the following actions occur:

•Tokens are updated in the conform bucket. If the previous arrival of the packet was at T1 and the current time is T, the bucket is updated with (T - T1) worth of bits based on the token arrival rate. The token arrival rate is calculated as follows:

•If the number of bytes in the conform bucket B is greater than or equal to 0, the packet conforms and the conform action is taken on the packet. If the packet conforms, B bytes are removed from the conform bucket and the conform action is completed for the packet.

•If the number of bytes in the conform bucket B (minus the packet size to be limited) is fewer than 0, the exceed action is taken.

Token Bucket Algorithm with Two Token Buckets (Refer to RFC 2697)

The two-token bucket algorithm is used when the violate-action is specified in the police command CLI.

The conform bucket is initially full (the full size is the number of bytes specified as the normal burst size).

The exceed bucket is initially full (the full exceed bucket size is the number of bytes specified in the maximum burst size).

The tokens for both the conform and exceed token buckets are updated based on the token arrival rate, or committed information rate (CIR).

When a packet of given size (for example, "B" bytes) arrives at specific time (time "T") the following actions occur:

•Tokens are updated in the conform bucket. If the previous arrival of the packet was at T1 and the current arrival of the packet is at t, the bucket is updated with T -T1 worth of bits based on the token arrival rate. The refill tokens are placed in the conform bucket. If the tokens overflow the conform bucket, the overflow tokens are placed in the exceed bucket.

•If the number of bytes in the conform bucket - B is greater than or equal to 0, the packet conforms and the conform action is taken on the packet. If the packet conforms, B bytes are removed from the conform bucket and the conform action is taken. The exceed bucket is unaffected in this scenario.

•If the number of bytes in the conform bucket B is less than 0, the excess token bucket is checked for bytes by the packet. If the number of bytes in the exceed bucket B is greater than or equal to 0, the exceed action is taken and B bytes are removed from the exceed token bucket. No bytes are removed from the conform bucket.

•If the number bytes in the exceed bucket B is fewer than 0, the packet violates the rate and the violate action is taken. The action is complete for the packet.

Examples

Token Bucket Algorithm with One Token Bucket

This example shows how to define a traffic class (using the class-map command) and associate the match criteria from the traffic class with the Traffic Policing configuration, which is configured in the service policy (using the policy-map command). The service-policy command is then used to attach this service policy to the interface.

In this particular example, Traffic Policing is configured with the average rate at 8000 bits per second and the normal burst size at 1000 bytes for all packets leaving Gigabit Ethernet interface 6/1:

In this example, the initial token buckets starts full at 1000 bytes. If a 450-byte packet arrives, the packet conforms because enough bytes are available in the conform token bucket. The conform action (send) is taken by the packet and 450 bytes are removed from the conform token bucket (leaving 550 bytes).

If the next packet arrives 0.25 seconds later, 250 bytes are added to the token bucket ((0.25 * 8000)/8), leaving 800 bytes in the token bucket. If the next packet is 900 bytes, the packet exceeds and the exceed action (drop) is taken. No bytes are taken from the token bucket.

In this particular example, Traffic Policing is configured with the average rate at 8000 bits per second, the normal burst size at 1000 bytes, and the excess burst size at 1000 bytes for all packets leaving Gigabit Ethernet interface 6/1.

In this example, the initial token buckets starts full at 1000 bytes. If a 450-byte packet arrives, the packet conforms because enough bytes are available in the conform token bucket. The conform action (send) is taken by the packet and 450 bytes are removed from the conform token bucket (leaving 550 bytes).

If the next packet arrives 0.25 seconds later, 250 bytes are added to the conform token bucket ((0.25 * 8000)/8), leaving 800 bytes in the conform token bucket. If the next packet is 900 bytes, the packet does not conform because only 800 bytes are available in the conform token bucket.

The exceed token bucket, which starts full at 1000 bytes (as specified by the excess burst size) is then checked for available bytes. Because enough bytes are available in the exceed token bucket, the exceed action (set the QoS transmit value of 1) is taken and 900 bytes are taken from the exceed bucket (leaving 100 bytes in the exceed token bucket.

If the next packet arrives 0.40 seconds later, 400 bytes are added to the token buckets ((.40 * 8000)/8). Therefore, the conform token bucket now has 1000 bytes (the maximum number of tokens available in the conform bucket) and 200 bytes overflow the conform token bucket (because it only 200 bytes were needed to fill the conform token bucket to capacity). These overflow bytes are placed in the exceed token bucket, giving the exceed token bucket 300 bytes.

If the arriving packet is 1000 bytes, the packet conforms because enough bytes are available in the conform token bucket. The conform action (transmit) is taken by the packet and 1000 bytes are removed from the conform token bucket (leaving 0 bytes).

If the next packet arrives 0.20 seconds later, 200 bytes are added to the token bucket ((.20 * 8000)/8). Therefore, the conform bucket now has 200 bytes. If the arriving packet is 400 bytes, the packet does not conform because only 200 bytes are available in the conform bucket. Similarly, the packet does not exceed because only 300 bytes are available in the exceed bucket. Therefore, the packet violates and the violate action (drop) is taken.

Displays the statistics and configurations of the input and output policies that are attached to an interface.

police (percent)

To configure traffic policing on the basis of a percentage of bandwidth available on an interface, use the police command in QoS policy-map class configuration mode. To remove traffic policing from the configuration, use the no form of this command.

Syntax Description

Committed information rate. Indicates that the CIR will be used for policing traffic.

percent

Specifies that a percentage of bandwidth will be used for calculating the CIR.

percent

Specifies the bandwidth percentage. Valid range is a number from 1 to 100.

bc

(Optional) Conform burst (bc) size used by the first token bucket for policing traffic.

conform-burst-in-msec

(Optional) Specifies the bc value in milliseconds. Valid range is a number from 1 to 2000.

pir

(Optional) Peak information rate (PIR). Indicates that the PIR will be used for policing traffic.

percent

(Optional) Specifies that a percentage of bandwidth will be used for calculating the PIR.

percent

(Optional) Specifies the bandwidth percentage. Valid range is a number from 1 to 100.

be

(Optional) Peak burst (be) size used by the second token bucket for policing traffic.

peak-burst-in-msec

(Optional) Specifies the be size in milliseconds. Valid range is a number from 1 to 2000.

action

Action to take on packets. Specify one of the following keywords:

•drop—Drops the packet.

•set-cos-transmit new-ios—Sets the class of services (CoS) value to a new value and send the packet. The range is 0 to 7.

•set-dscp-transmit value—Sets the IP differentiated services code point (DSCP) value and transmits the packet with the new IP DSCP value setting.

•set-prec-transmitvalue—Sets the IP precedence and transmits the packet with the new IP precedence value setting.

•transmit—Transmits the packet. The packet is not altered.

Command Default

This command is disabled by default.

Command Modes

Policy-map class configuration mode

Command History

Release

Modification

12.2(40)SG

This command was introduced on the Catalyst 4500 series switch using a Supervisor Engine 6E.

Usage Guidelines

This command calculates the CIR and PIR on the basis of a percentage of the maximum amount of bandwidth available on the interface. When a policy map is attached to the interface, the equivalent CIR and PIR values in bits per second (bps) are calculated on the basis of the interface bandwidth and the percent value entered with this command. The show policy-map interface command can then be used to verify the bps rate calculated.

The calculated CIR and PIR bps rates must be in the range of 32,000 and 32,000,000,000 bps. If the rates are outside this range, the associated policy map cannot be attached to the interface. If the interface bandwidth changes (for example, more is added), the bps values of the CIR and the PIR are recalculated on the basis of the revised amount of bandwidth. If the CIR and PIR percentages are changed after the policy map is attached to the interface, the bps values of the CIR and PIR are recalculated.

This command also allows you to specify the values for the conform burst size and the peak burst size in milliseconds. If you want bandwidth to be calculated as a percentage, the conform burst size and the peak burst size must be specified in milliseconds (ms).

Examples

This example shows how to configure traffic policing using a CIR and a PIR based on a percentage of bandwidth on Gigabit interface 6/2. In this example, a CIR of 20 percent and a PIR of 40 percent have been specified. Additionally, an optional bc value and be value (300 ms and 400 ms, respectively) have been specified.

police (two rates)

To configure traffic policing using two rates, the committed information rate (CIR) and the peak information rate (PIR), use the police command in policy-map configuration mode. To remove two-rate traffic policing from the configuration, use the no form of this command.